php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #19251 Passwords exposed when using external authentification
Submitted: 2002-09-05 10:08 UTC Modified: 2002-09-05 10:21 UTC
From: james dot mcininch at attbi dot com Assigned:
Status: Closed Package: Apache related
PHP Version: 4.2.2 OS: Solaris and Linux
Private report: No CVE-ID: None
 [2002-09-05 10:08 UTC] james dot mcininch at attbi dot com
This bug is a security issue first reported for 4.0.4 as bug
#9022 and has yet to be fixed. The security flaw remains.

According to the PHP documentation, if a user is authenticated
using and external HTTP basic authentification mechanism such
as the various mechanisms available under Apache (I tested
file-based and LDAP-based authentification), the PHP_AUTH_PW
and PHP_AUTH_USER variables SHOULD NOT BE SET. This is the
correct and desired behavior as it prevents malicious users
from capturing this information in environments where they
are permitted to host PHP scripts that authenticate off an
external resource.

However, the password information is always returned by
PHP - exposing the user password. Demonstrating the exploit
is very simple:

Make a directory with the following script in it:

<?php phpinfo(); ?>

Then create an .htaccess file like:

AuthType Basic
AuthName "This is a test"
AuthUserfile .htpasswd
Require valid-user

... and make the .htpasswd file with a username and password.

When you go to the phpinfo page, note that the username
and password are contained on the page (as PHP_AUTH_USER
and PHP_AUTH_PW respectively).

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-09-05 10:21 UTC] james dot mcininch at attbi dot com
I should add that safe_mode apparently enables the behavior
mentioned in the documentation (which does not state that
it is required). In fact, this is undesirable. safe_mode
imposes an array of undesirable restrictions outside the
passing of PHP_AUTH_*. The behavior should be as documented
without the setting of safe_mode, as expected.
 [2002-09-05 10:21 UTC] rasmus@php.net
Fixed a while ago in CVS
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sat May 21 00:03:50 2022 UTC