On Wed, 22 Sep 2004, Uwe Schindler wrote: > What is the background of disabling of passing the headers "Authentication" > and the user/password pairs in it to the user? Is it a problem to simply > give the user access to this information (even with safe mode) - If there > is some authentication by .htaccess or something other it is normally from > the same user that wrote the script.
Normally, sure. But say on a shared host http://www.isp.com/~bob sets up a password-protected page. Then Tom comes along and wants to grab the user ids and passwords from Bob's site. Safe-mode is enabled so he can't simply write a script to steal the passwords, and even if he could, they are encrypted. So the way to hack it is to just password protect one of his own pages and give it the same auth domain as Bob's pages and anybody who visits http://www.isp.com/~tom anytime after visiting /~bob will invisibly send their auth data to Tom. -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
