PHP :: Bug #19251 :: Passwords exposed when using external authentification

Bug #19251	Passwords exposed when using external authentification
Submitted:	2002-09-05 10:08 UTC	Modified:	2002-09-05 10:21 UTC
From:	james dot mcininch at attbi dot com	Assigned:
Status:	Closed	Package:	Apache related
PHP Version:	4.2.2	OS:	Solaris and Linux
Private report:	No	CVE-ID:	None

View Developer Edit

[2002-09-05 10:08 UTC] james dot mcininch at attbi dot com

This bug is a security issue first reported for 4.0.4 as bug
#9022 and has yet to be fixed. The security flaw remains.

According to the PHP documentation, if a user is authenticated
using and external HTTP basic authentification mechanism such
as the various mechanisms available under Apache (I tested
file-based and LDAP-based authentification), the PHP_AUTH_PW
and PHP_AUTH_USER variables SHOULD NOT BE SET. This is the
correct and desired behavior as it prevents malicious users
from capturing this information in environments where they
are permitted to host PHP scripts that authenticate off an
external resource.

However, the password information is always returned by
PHP - exposing the user password. Demonstrating the exploit
is very simple:

Make a directory with the following script in it:

<?php phpinfo(); ?>

Then create an .htaccess file like:

AuthType Basic
AuthName "This is a test"
AuthUserfile .htpasswd
Require valid-user

... and make the .htpasswd file with a username and password.

When you go to the phpinfo page, note that the username
and password are contained on the page (as PHP_AUTH_USER
and PHP_AUTH_PW respectively).

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-09-05 10:21 UTC] james dot mcininch at attbi dot com

I should add that safe_mode apparently enables the behavior
mentioned in the documentation (which does not state that
it is required). In fact, this is undesirable. safe_mode
imposes an array of undesirable restrictions outside the
passing of PHP_AUTH_*. The behavior should be as documented
without the setting of safe_mode, as expected.

[2002-09-05 10:21 UTC] rasmus@php.net

Fixed a while ago in CVS

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue May 06 14:01:28 2025 UTC