PHP :: Bug #20088 :: Custom authentication mechanism

Bug #20088	Custom authentication mechanism
Submitted:	2002-10-25 10:36 UTC	Modified:	2002-10-28 05:33 UTC
From:	paul at myitcv dot org dot uk	Assigned:
Status:	Closed	Package:	HTTP related
PHP Version:	4.2.3	OS:	SuSE Linux 7.2
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	paul at myitcv dot org dot uk
New email:
PHP Version:		OS:

New Comment:

[2002-10-25 10:36 UTC] paul at myitcv dot org dot uk

The following code:

<?php

// File Name: auth01.php
// Check to see if $PHP_AUTH_USER already contains info

if (!isset($PHP_AUTH_USER)) {

// If empty, send header causing dialog box to appear
header('WWW-Authenticate: Basic realm="My Private Stuff"');
header('HTTP/1.0 401 Unauthorized');
phpinfo();
exit;
}

// If not empty, display values for variables

else {

echo "
<P>You have entered this username: $PHP_AUTH_USER<br>
You have entered this password: $PHP_AUTH_PW<br>
The authorization type is: $PHP_AUTH_TYPE</p>
";

}

?>

....fails. I believe the reason for this is that I have made the following change to the PHP source:

--- php/sapi/apache/mod_php4.c.paj00    Tue Sep 10 13:59:06 2002
+++ php/sapi/apache/mod_php4.c  Tue Sep 10 13:59:17 2002
@@ -434,7 +434,7 @@
                authorization = table_get(r->headers_in, "Authorization");
        }
        if (authorization
-/*             && !auth_type(r) */
+               && !auth_type(r) 
                && !strcasecmp(getword(r->pool, &authorization, ' '), "Basic")) {
                tmp = uudecode(r->pool, authorization);
                SG(request_info).auth_user = getword_nulls_nc(r->pool, &tmp, ':');

I have made this change because of Bug #18391. However, custom authentication methods, an example of which is entered above, now fail. I would imagine that the two are linked. 

As we use mod_auth_kerb I will not remove this patch because otherwise we leave ourselves quite open to attack from the inside. Any suggestions on how to get custom authentication working alongside the increased kerberos security?

Thanks,


Paul

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-10-25 12:44 UTC] sniper@php.net

Works fine here. Do you have 'register_globals=On' ??

[2002-10-27 10:49 UTC] paul at myitcv dot org dot uk

Yes, register_globals is on. Did your test system have similar modules (eg mod_auth_kerb etc) installed?

[2002-10-27 21:25 UTC] sterling@php.net

Err, you have created a bug by modifying the PHP source, trying to fix another bug?  Why did you report this bug - anyhow, its marked bogus :)

[2002-10-28 04:04 UTC] paul at myitcv dot org dot uk

The patch I applied to the source was on the recommendation of php.net developers who said that the exact same patch would soon make it into the main tree. Therefore I assumed they recognised the original behaviour with revelation of kerberos passwords as a genuine bug.

Hence, with the patch applied I am now reporting that the custom authentication method fails. 

Sorry for being thick, but have I missed something?

[2002-10-28 04:51 UTC] sniper@php.net

Nevermind Sterling, he just wasn't aware of the patch..which btw. is in 4.3.0-dev already.

Anyway, I'm still unable to reproduce this. I don't have time to install mod_auth_kerb right now. 
But the problem might be configuration related..are you
sure you're not using the mod_auth_kerb within the same vhost/directory (not sure how it can be configured) as
you're trying to run that php code in?

--Jani

[2002-10-28 05:33 UTC] paul at myitcv dot org dot uk

Jani,

Many thanks. Following on from your suggestion, I checked out the path from .htaccess to httpd.conf. Sure enough, as a globally set parameter in httpd.conf in a <Directory /> style config directive we have the following:

AuthType KerberosV5

which I would imagine is causing the problem.

Many thanks for your time,


Paul

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 18 11:01:28 2024 UTC