|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #16653 $PHP_AUTH_PW accessible when authentication is done by Apache
Submitted: 2002-04-17 03:56 UTC Modified: 2002-06-13 18:15 UTC
Avg. Score:4.7 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: stefan dot peer at tiwag dot at Assigned:
Status: Closed Package: Apache related
PHP Version: 4.1.2 OS: SuSE Linux 7.x
Private report: No CVE-ID: None
 [2002-04-17 03:56 UTC] stefan dot peer at tiwag dot at
This bug is security related. The password of any user which is authenticated via Apache is still accessible through $PHP_AUTH_PW to any user who is able to execute php-scripts. I'm using mod_auth_samba to authenticate users with their windows-passwords. states, that "In order to prevent someone from writing a script which reveals the password for a page that was authenticated through a traditional external mechanism, the PHP_AUTH variables will not be set if external authentication is enabled for that particular page. In this case, the $REMOTE_USER variable can be used to identify the externally-authenticated user.

Configuration Note: PHP uses the presence of an AuthType directive to determine whether external authentication is in effect. Remember to avoid this directive for the context where you want to use PHP authentication (otherwise each authentication attempt will fail)."

Unless I'm completely mistaken, $PHP_AUTH_USER and $PHP_AUTH_PW are set, regardless of the existence of the 'AuthType'-directive.

* SuSE Linux 7.3
* Apache 1.3.23:
  <Location "/testme.php">
    AuthType Basic
    Options FollowSymLinks
    AllowOverride None
    AuthSambaEnabled On
    AuthAuthoritative On      
    AuthName "php_auth_pw Test"
    AuthSambaDomain tiwag:exchange,hvntsna
    require valid-user
    Order Allow,Deny
    Allow from all
Compile options:
LIBS="/lib/security/ -lpam /usr/lib/" \
./configure     --prefix=/usr/local/apache \
                --add-module=src/modules/extra/mod_auth_samba.c \
                --enable-module=access \
                --enable-module=actions \
                --enable-module=alias \
                --enable-module=asis \
                --enable-module=auth \
                --enable-module=auth_digest \
                --enable-module=autoindex \
                --enable-module=cgi \
                --enable-module=dir \
                --enable-module=env \
                --enable-module=expires \
                --enable-module=headers \
                --enable-module=imap \
                --enable-module=include \
                --enable-module=info \
                --enable-module=log_config \
                --enable-module=mime \
                --enable-module=mime_magic \
                --enable-module=negotiation \
                --enable-module=setenvif \
                --enable-module=so \
                --enable-module=speling \
                --enable-module=ssl \
                --enable-module=status \
                --enable-module=userdir \
                --server-uid=httpd \
                --server-gid=httpd \

* PHP 4.1.2
Compile options:
./configure --prefix=/usr/local/php \
            --with-apxs=/usr/local/apache/bin/apxs \
            --enable-magic-quotes \
            --with-bz2 \
            --with-java=/usr/lib/java \
            --with-mcrypt \
            --enable-mailparse \
            --with-mysql=/usr/local/mysql \
            --with-ncurses \
            --with-pdflib=/usr/lib \
            --with-mm=/usr/lib \
            --enable-sockets \
            --enable-trans-sid \
            --enable-memory-limit \
            --enable-shared \
            --enable-static \
            --enable-tsrm-pthreads \


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2002-06-13 18:15 UTC]
This bug has been fixed in CVS. You can grab a snapshot of the
CVS version at In case this was a documentation 
problem, the fix will show up soon at
In case this was a website problem, the change will show
up on the site and on the mirror sites.
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Jul 23 22:01:28 2024 UTC