|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #16653 $PHP_AUTH_PW accessible when authentication is done by Apache
Submitted: 2002-04-17 03:56 UTC Modified: 2002-06-13 18:15 UTC
Avg. Score:4.7 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: stefan dot peer at tiwag dot at Assigned:
Status: Closed Package: Apache related
PHP Version: 4.1.2 OS: SuSE Linux 7.x
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: stefan dot peer at tiwag dot at
New email:
PHP Version: OS:


 [2002-04-17 03:56 UTC] stefan dot peer at tiwag dot at
This bug is security related. The password of any user which is authenticated via Apache is still accessible through $PHP_AUTH_PW to any user who is able to execute php-scripts. I'm using mod_auth_samba to authenticate users with their windows-passwords. states, that "In order to prevent someone from writing a script which reveals the password for a page that was authenticated through a traditional external mechanism, the PHP_AUTH variables will not be set if external authentication is enabled for that particular page. In this case, the $REMOTE_USER variable can be used to identify the externally-authenticated user.

Configuration Note: PHP uses the presence of an AuthType directive to determine whether external authentication is in effect. Remember to avoid this directive for the context where you want to use PHP authentication (otherwise each authentication attempt will fail)."

Unless I'm completely mistaken, $PHP_AUTH_USER and $PHP_AUTH_PW are set, regardless of the existence of the 'AuthType'-directive.

* SuSE Linux 7.3
* Apache 1.3.23:
  <Location "/testme.php">
    AuthType Basic
    Options FollowSymLinks
    AllowOverride None
    AuthSambaEnabled On
    AuthAuthoritative On      
    AuthName "php_auth_pw Test"
    AuthSambaDomain tiwag:exchange,hvntsna
    require valid-user
    Order Allow,Deny
    Allow from all
Compile options:
LIBS="/lib/security/ -lpam /usr/lib/" \
./configure     --prefix=/usr/local/apache \
                --add-module=src/modules/extra/mod_auth_samba.c \
                --enable-module=access \
                --enable-module=actions \
                --enable-module=alias \
                --enable-module=asis \
                --enable-module=auth \
                --enable-module=auth_digest \
                --enable-module=autoindex \
                --enable-module=cgi \
                --enable-module=dir \
                --enable-module=env \
                --enable-module=expires \
                --enable-module=headers \
                --enable-module=imap \
                --enable-module=include \
                --enable-module=info \
                --enable-module=log_config \
                --enable-module=mime \
                --enable-module=mime_magic \
                --enable-module=negotiation \
                --enable-module=setenvif \
                --enable-module=so \
                --enable-module=speling \
                --enable-module=ssl \
                --enable-module=status \
                --enable-module=userdir \
                --server-uid=httpd \
                --server-gid=httpd \

* PHP 4.1.2
Compile options:
./configure --prefix=/usr/local/php \
            --with-apxs=/usr/local/apache/bin/apxs \
            --enable-magic-quotes \
            --with-bz2 \
            --with-java=/usr/lib/java \
            --with-mcrypt \
            --enable-mailparse \
            --with-mysql=/usr/local/mysql \
            --with-ncurses \
            --with-pdflib=/usr/lib \
            --with-mm=/usr/lib \
            --enable-sockets \
            --enable-trans-sid \
            --enable-memory-limit \
            --enable-shared \
            --enable-static \
            --enable-tsrm-pthreads \


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2002-06-13 18:15 UTC]
This bug has been fixed in CVS. You can grab a snapshot of the
CVS version at In case this was a documentation 
problem, the fix will show up soon at
In case this was a website problem, the change will show
up on the site and on the mirror sites.
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Mon Dec 11 10:01:29 2023 UTC