>Number: 737
>Category: other
>Synopsis: Server not protecting CGI programs
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: apache (Apache HTTP Project)
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Fri Jun 13 11:40:01 1997
>Originator: [EMAIL PROTECTED]
>Organization:
apache
>Release: 1.2b6
>Environment:
HPUX A.09.03 9000/735
>Description:
I believe I have found a bug in the Apache server. The server is not
prompting for user authentication for my Perl CGI programs that are under a
protected directory. I am using a .htaccess file as shown below:
AuthUserFile /local/www/conf/.htpasswd
AuthGroupFile /dev/null
AuthName Security Protected Pages
AuthType Basic
<Limit GET POST PUT>
require user pottersc
require user smithja
</Limit>
The .htaccess file correctly protects static HTML documents which are in the
same directory as my CGI programs, however the CGI programs can be called
without involking user authentication. I am also interested in getting access
to the REMOTE_USER environment variable from within my CGI program, but this is
not set since the server does not recognize the CGI programs as being protected
documents. I have tried this using both GET and POST Action Methods, and the
result is the same in both cases. I have submitted a request for help to the
users group but have not gotten a response in 3 days. I have tried everything
I know and have come up with nothing. Is this an Apache bug or am I doing
something wrong?
Thanks in advance for your assistance.
>How-To-Repeat:
It is inside the corporate firewall, so outside access is not easily possible.
>Fix:
>Audit-Trail:
>Unformatted:
