php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #16653 $PHP_AUTH_PW accessible when authentication is done by Apache
Submitted: 2002-04-17 03:56 UTC Modified: 2002-06-13 18:15 UTC
Votes:3
Avg. Score:4.7 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: stefan dot peer at tiwag dot at Assigned:
Status: Closed Package: Apache related
PHP Version: 4.1.2 OS: SuSE Linux 7.x
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: stefan dot peer at tiwag dot at
New email:
PHP Version: OS:

 

 [2002-04-17 03:56 UTC] stefan dot peer at tiwag dot at 
This bug is security related. The password of any user which is authenticated via Apache is still accessible through $PHP_AUTH_PW to any user who is able to execute php-scripts. I'm using mod_auth_samba to authenticate users with their windows-passwords.
http://www.php.net/manual/en/features.http-auth.php states, that "In order to prevent someone from writing a script which reveals the password for a page that was authenticated through a traditional external mechanism, the PHP_AUTH variables will not be set if external authentication is enabled for that particular page. In this case, the $REMOTE_USER variable can be used to identify the externally-authenticated user.

Configuration Note: PHP uses the presence of an AuthType directive to determine whether external authentication is in effect. Remember to avoid this directive for the context where you want to use PHP authentication (otherwise each authentication attempt will fail)."

Unless I'm completely mistaken, $PHP_AUTH_USER and $PHP_AUTH_PW are set, regardless of the existence of the 'AuthType'-directive.
________________________________________________________
testme.php:
<?=$PHP_AUTH_USER?>
<br>
<?=$PHP_AUTH_PW?>
<br>
<?=$REMOTE_USER?>

Configuration:
---------------
* SuSE Linux 7.3
* Apache 1.3.23:
...
  <Location "/testme.php">
    AuthType Basic
    Options FollowSymLinks
    AllowOverride None
    AuthSambaEnabled On
    AuthAuthoritative On      
    AuthName "php_auth_pw Test"
    AuthSambaDomain tiwag:exchange,hvntsna
    require valid-user
    Order Allow,Deny
    Allow from all
  </Location>
...
Compile options:
LIBS="/lib/security/pam_smb_auth.so -lpam /usr/lib/libdbm.so" \
./configure     --prefix=/usr/local/apache \
                --add-module=src/modules/extra/mod_auth_samba.c \
                --enable-module=access \
                --enable-module=actions \
                --enable-module=alias \
                --enable-module=asis \
                --enable-module=auth \
                --enable-module=auth_digest \
                --enable-module=autoindex \
                --enable-module=cgi \
                --enable-module=dir \
                --enable-module=env \
                --enable-module=expires \
                --enable-module=headers \
                --enable-module=imap \
                --enable-module=include \
                --enable-module=info \
                --enable-module=log_config \
                --enable-module=mime \
                --enable-module=mime_magic \
                --enable-module=negotiation \
                --enable-module=setenvif \
                --enable-module=so \
                --enable-module=speling \
                --enable-module=ssl \
                --enable-module=status \
                --enable-module=userdir \
                --server-uid=httpd \
                --server-gid=httpd \
                --with-perl=/usr/bin/perl 

* PHP 4.1.2
Compile options:
./configure --prefix=/usr/local/php \
            --with-apxs=/usr/local/apache/bin/apxs \
            --enable-magic-quotes \
            --with-bz2 \
            --with-java=/usr/lib/java \
            --with-mcrypt \
            --enable-mailparse \
            --with-mysql=/usr/local/mysql \
            --with-ncurses \
            --with-pdflib=/usr/lib \
            --with-mm=/usr/lib \
            --enable-sockets \
            --enable-trans-sid \
            --enable-memory-limit \
            --enable-shared \
            --enable-static \
            --enable-tsrm-pthreads \
            --with-gnu-ld

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-06-13 18:15 UTC] sniper@php.net 
This bug has been fixed in CVS. You can grab a snapshot of the
CVS version at http://snaps.php.net/. In case this was a documentation 
problem, the fix will show up soon at http://www.php.net/manual/.
In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites.
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 16 21:01:28 2024 UTC