php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #42347 Inconsistency of treatments of PHP_AUTH_PW and HTTP Authorization header
Submitted: 2007-08-20 10:48 UTC Modified: 2008-07-11 21:29 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: c dot i dot morris at durham dot ac dot uk Assigned:
Status: Wont fix Package: Safe Mode/open_basedir
PHP Version: 4.4.7 OS: Linux+Apache
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: c dot i dot morris at durham dot ac dot uk
New email:
PHP Version: OS:

 

 [2007-08-20 10:48 UTC] c dot i dot morris at durham dot ac dot uk 
Description:
------------
In safe mode, the PHP_AUTH_PW variable is not available to users if the authorisation was handled by Apache rather than PHP (e.g. Apache's various mod_auth_*). This correctly prevents users from reading the passwords from a central user database simply by getting a logged-in user to view their page.

However, the HTTP Authorization header is not similarly filtered out in safe_mode, allowing a malicious user to use the code below to read other users' passwords.

This definitely affects apache_request_headers() - if there are any other functions also allowing reading of HTTP request headers, they should also be checked.

Reproduce code:
---------------
<?php
// in a directory with Basic auth via Apache configuration
$headers = apache_request_headers();
$auth = substr($headers['Authorization'],6);
$up = base64_decode($auth);
print($up);
?>

Expected result:
----------------
Should not print anything.

Actual result:
--------------
Prints username and password of authenticated user

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-07-11 21:29 UTC] jani@php.net 
We are sorry, but we can not support PHP 4 related problems anymore.
Momentum is gathering for PHP 6, and we think supporting PHP 4 will
lead to a waste of resources which we want to put into getting PHP 6
ready.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Dec 22 01:01:30 2024 UTC