PHP :: Bug #37970 :: PHP_AUTH_PW and PHP_AUTH

Bug #37970	PHP_AUTH_PW and PHP_AUTH_USER are being exposed
Submitted:	2006-06-30 04:52 UTC	Modified:	2006-06-30 07:48 UTC
From:	ct at swin dot edu dot au	Assigned:
Status:	Not a bug	Package:	Unknown/Other Function
PHP Version:	5.1.4	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

[2006-06-30 04:52 UTC] ct at swin dot edu dot au

Description:
------------
PHP_AUTH_PW and PHP_AUTH_USER are exposed to other scripts running in a shared host environment.

Reproduce code:
---------------
user1 has a PHP web page http://www.example.com/~user1 that uses external authentication via Apache basic authentication.

/home/user1/public_html/.htaccess

AuthType Basic
AuthName "This is a test"
AuthUserfile /home/user1/public_html/.htpasswd
Require valid-user

user2 has a PHP page http://www.example.com/~user2 that prints out $_SERVER

A user visits http://www.example.com/~user1 (No trailing slash) and enters their username/password entered in popup window.

The user then visits http://www.example.com/~user2.  Their password is then exposed to this script.

This does not happen if the URL of the page asking for authentication has an appended slash. Eg. http://www.example.com/~user/.




Expected result:
----------------
PHP_AUTH_USER and PHP_AUTH_PW should not be exposed to other users scripts on a shared host. 

Actual result:
--------------
PHP_AUTH_USER and PHP_AUTH_PW are exposed to script even when safe_mode is enabled.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-06-30 07:48 UTC] tony2001@php.net

Please direct your complaints to the developers of your browser, since your _BROWSER_ sends login/password pair and it has *nothing* to do with PHP.

[2013-01-24 12:13 UTC] schmidt at holzlandbecker dot de

what _exactly_ does set this PHP_AUTH_PW variable for php global variable $_SERVER?
what is it for?
why is it called PHP_AUTH_*?
what does the browser do, for this variable to be forever in $_SESSION?

as i can reproduce this with (apache kerberos login + php 5.3.3) curl, firefox, chrome and ms-ie, i would like to know what are those "browsers" doing wrong.

[2013-01-24 12:16 UTC] schmidt at holzlandbecker dot de

typo:
what does the browser do, for this variable to be forever in $_SERVER?

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Jul 07 09:01:33 2025 UTC