php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #9022 Selectable option for PHP_AUTH_PW
Submitted: 2001-01-31 02:37 UTC Modified: 2002-09-05 10:22 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: csy at hjc dot edu dot sg Assigned:
Status: Closed Package: Feature/Change Request
PHP Version: 4.0.4pl1 OS: Linux
Private report: No CVE-ID: None
 [2001-01-31 02:37 UTC] csy at hjc dot edu dot sg
I am currently running Apache-1.3.17 with php-4.0.4pl1 . It appears that when I am using Apache's own mod_auth with .htaccess and .htpasswd authentication, PHP will store the password from Apache into the PHP_AUTH_PW variables.

Thou it is useful somethings, it also creates a security problem in the following situation.

access to http://www.abc.com is limited to users who each have their own unique username/password.

http://www.abc.com/apps1 is developed and maintained by groupA

http://www.abc.com/apps2 is developed and maintained by groupB

Any malicious developer in groupA or B will be able to silently steal the user's password when they access either apps1 or apps2 without the user knowing by just saving the values found in PHP_AUTH_USER and PHP_AUTH_PW .

The malicious developer can then use the saved password to assume the identity of the original user and access the website to perform functions without the original user knowing.

Hence I am wondering if it will be possible to have a configuration directive that can select whether PHP_AUTH_PW will store the external password when external authentication modules like mod_auth are used.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-09-05 10:22 UTC] rasmus@php.net
Fixed in CVS
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 03:01:28 2024 UTC