PHP :: Bug #37970 :: PHP_AUTH_PW and PHP_AUTH

Bug #37970	PHP_AUTH_PW and PHP_AUTH_USER are being exposed
Submitted:	2006-06-30 04:52 UTC	Modified:	2006-06-30 07:48 UTC
From:	ct at swin dot edu dot au	Assigned:
Status:	Not a bug	Package:	Unknown/Other Function
PHP Version:	5.1.4	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	ct at swin dot edu dot au
New email:
PHP Version:		OS:

New Comment:

[2006-06-30 04:52 UTC] ct at swin dot edu dot au

Description:
------------
PHP_AUTH_PW and PHP_AUTH_USER are exposed to other scripts running in a shared host environment.

Reproduce code:
---------------
user1 has a PHP web page http://www.example.com/~user1 that uses external authentication via Apache basic authentication.

/home/user1/public_html/.htaccess

AuthType Basic
AuthName "This is a test"
AuthUserfile /home/user1/public_html/.htpasswd
Require valid-user

user2 has a PHP page http://www.example.com/~user2 that prints out $_SERVER

A user visits http://www.example.com/~user1 (No trailing slash) and enters their username/password entered in popup window.

The user then visits http://www.example.com/~user2.  Their password is then exposed to this script.

This does not happen if the URL of the page asking for authentication has an appended slash. Eg. http://www.example.com/~user/.




Expected result:
----------------
PHP_AUTH_USER and PHP_AUTH_PW should not be exposed to other users scripts on a shared host. 

Actual result:
--------------
PHP_AUTH_USER and PHP_AUTH_PW are exposed to script even when safe_mode is enabled.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-06-30 07:48 UTC] tony2001@php.net

Please direct your complaints to the developers of your browser, since your _BROWSER_ sends login/password pair and it has *nothing* to do with PHP.

[2013-01-24 12:13 UTC] schmidt at holzlandbecker dot de

what _exactly_ does set this PHP_AUTH_PW variable for php global variable $_SERVER?
what is it for?
why is it called PHP_AUTH_*?
what does the browser do, for this variable to be forever in $_SESSION?

as i can reproduce this with (apache kerberos login + php 5.3.3) curl, firefox, chrome and ms-ie, i would like to know what are those "browsers" doing wrong.

[2013-01-24 12:16 UTC] schmidt at holzlandbecker dot de

typo:
what does the browser do, for this variable to be forever in $_SERVER?

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Jul 07 10:01:34 2025 UTC