PHP :: Request #9022 :: Selectable option for PHP_AUTH

Selectable option for PHP_AUTH_PW

Submitted:

2001-01-31 02:37 UTC

Modified:

2002-09-05 10:22 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

csy at hjc dot edu dot sg

Assigned:

Status:

Closed

Package:

Feature/Change Request

PHP Version:

4.0.4pl1

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	csy at hjc dot edu dot sg
New email:
PHP Version:		OS:

New Comment:

[2001-01-31 02:37 UTC] csy at hjc dot edu dot sg

I am currently running Apache-1.3.17 with php-4.0.4pl1 . It appears that when I am using Apache's own mod_auth with .htaccess and .htpasswd authentication, PHP will store the password from Apache into the PHP_AUTH_PW variables.

Thou it is useful somethings, it also creates a security problem in the following situation.

access to http://www.abc.com is limited to users who each have their own unique username/password.

http://www.abc.com/apps1 is developed and maintained by groupA

http://www.abc.com/apps2 is developed and maintained by groupB

Any malicious developer in groupA or B will be able to silently steal the user's password when they access either apps1 or apps2 without the user knowing by just saving the values found in PHP_AUTH_USER and PHP_AUTH_PW .

The malicious developer can then use the saved password to assume the identity of the original user and access the website to perform functions without the original user knowing.

Hence I am wondering if it will be possible to have a configuration directive that can select whether PHP_AUTH_PW will store the external password when external authentication modules like mod_auth are used.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-09-05 10:22 UTC] rasmus@php.net

Fixed in CVS

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Dec 22 09:01:29 2024 UTC