|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68851 PHP and Apache2 interpret duplicate Authentication headers differently
Submitted: 2015-01-18 12:26 UTC Modified: 2015-01-18 13:08 UTC
From: phillip dot berndt at googlemail dot com Assigned:
Status: Open Package: Apache2 related
PHP Version: 5.4.36 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: phillip dot berndt at googlemail dot com
New email:
PHP Version: OS:


 [2015-01-18 12:26 UTC] phillip dot berndt at googlemail dot com
If a request contains multiple Authorization headers, PHP and Apache parse them differently. If Apache does the authorization, this leads to PHP having a wrong password in $_SERVER[PHP_AUTH_PW]:

Apache uses the first header for authentication.

PHP concatenates both headers somehow, I suppose with the usual ", " in between, and then messes up base64 decoding (the source code seems to actually call uudecode()?!).

This alone does not have any security implications I can think of, therefore I'll categorize this as a simple bug. I haven't looked into the cause of the bug in the base64 decoder though.

Test script:
htaccess file:

AuthType Basic
AuthUserFile /path/to/htpasswd
AuthName "test"
Require valid-user

php script:

	header("Content-type: text/plain");
	echo urlencode($_SERVER["PHP_AUTH_PW"]);

htpasswd allows login for user:user

Expected result:
$ curl "http://path/to/page" -H "Authorization: Basic dXNlcjp1c2Vy" -H "Authorization: Basic YWRtaW46YWRtaW4=" 

Actual result:
$ curl "http://path/to/page" -H "Authorization: Basic dXNlcjp1c2Vy" -H "Authorization: Basic YWRtaW46YWRtaW4=" 


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2015-01-18 13:08 UTC]
Multiple Authorization headers aren't actually permitted by the RFCs. What you're sending is equivalent to
  Authorization: Basic dXNlcjp1c2Vy, Basic YWRtaW46YWRtaW4
Base-64 ignores whitespace and other invalid characters so that gets treated like
  Authorization: Basic dXNlcjp1c2VyBasicYWRtaW46YWRtaW4
which decodes to ("user:" followed by) the crazy stuff you're seeing.
  echo urlencode(base64_decode('dXNlcjp1c2VyBasicYWRtaW46YWRtaW4'));
  // user%3Auser%05%AB%22q%85%91%B5%A5%B8%E9%85%91%B5%A5%B8

IMO since this situation is prohibited, PHP's behavior is acceptable. Apache ignoring the additional headers is reasonable because multiple Authorizations don't make sense, and PHP combining them is not unreasonable because multiple headers means necessarily that they are equivalent to one which has the values combined and comma-separated.
 [2015-01-18 16:05 UTC] phillip dot berndt at googlemail dot com
My point was not to blame anyone that the RFC is not fulfiled, but to mention that different behaviour between httpd and php isn't what any user would expect, and therefore can potentially lead to security issues if an attacker deliberately sends two authentication headers. If authentication is handled externally through Apache and PHP_AUTH_PW is populated, I'd always expect that variable to hold exactly the password that Apache recognized & accepted. In the worst case, this could mean that I use the value as if it didn't need the special care user input usually requires and then

$ curl "http://path/to/page" -H "Authorization: Basic dXNlcjp1c2Vy" -H "Authorization: Basic GEuLi4gJzsgRFJPUCBUQUJMRSB1c2VyczsgLS0A=" '; DROP TABLE users; --

would do lot's of damage.

If you want to do anything about this, a potential solution would be to check if Authorization headers exactly match "Basic <valid base64 without any other characters in between>" and only populate the PHP_AUTH_* variables if so.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Jun 13 07:01:34 2024 UTC