|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #42347 Inconsistency of treatments of PHP_AUTH_PW and HTTP Authorization header
Submitted: 2007-08-20 10:48 UTC Modified: 2008-07-11 21:29 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: c dot i dot morris at durham dot ac dot uk Assigned:
Status: Wont fix Package: Safe Mode/open_basedir
PHP Version: 4.4.7 OS: Linux+Apache
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: c dot i dot morris at durham dot ac dot uk
New email:
PHP Version: OS:


 [2007-08-20 10:48 UTC] c dot i dot morris at durham dot ac dot uk
In safe mode, the PHP_AUTH_PW variable is not available to users if the authorisation was handled by Apache rather than PHP (e.g. Apache's various mod_auth_*). This correctly prevents users from reading the passwords from a central user database simply by getting a logged-in user to view their page.

However, the HTTP Authorization header is not similarly filtered out in safe_mode, allowing a malicious user to use the code below to read other users' passwords.

This definitely affects apache_request_headers() - if there are any other functions also allowing reading of HTTP request headers, they should also be checked.

Reproduce code:
// in a directory with Basic auth via Apache configuration
$headers = apache_request_headers();
$auth = substr($headers['Authorization'],6);
$up = base64_decode($auth);

Expected result:
Should not print anything.

Actual result:
Prints username and password of authenticated user


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2008-07-11 21:29 UTC]
We are sorry, but we can not support PHP 4 related problems anymore.
Momentum is gathering for PHP 6, and we think supporting PHP 4 will
lead to a waste of resources which we want to put into getting PHP 6

PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sat Nov 26 16:05:52 2022 UTC