Amir Hardon wrote:
I have a PHP site which uses HTTP user authentication,
I just noticed something wierd at the logs, I saw someone is accessing with
username '-', which doesn't exist.
I tried loging in using username '-' with no password and I was in!
The only thing I can think of is that '-' is a special character for strcmp,
here is my authentication function(I removed the database connection part):
function authenticate(){
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="garin"');
header('HTTP/1.0 401 Unauthorized');
echo 'Illegal entrance';
return FALSE;
}
else {
$euser=mysql_escape_string(htmlspecialchars($_SERVER['PHP_AUTH_USER'],ENT_QUOTES));;
$query='SELECT password FROM garin WHERE username=\'' . $euser . '\';';
$result = mysql_query($query) or die(mysql_error());
$row= mysql_fetch_array($result,MYSQL_ASSOC);
Which means that if the query returns 0 rows (for example, because the
username doesn't exist), $row is empty, no?
if(strcmp(htmlspecialchars($_SERVER['PHP_AUTH_PW'],ENT_QUOTES),$row["password"])
|| (strcmp($euser,mysql_escape_string(htmlspecialchars("-")))) ){
Which means that the strcmp has no reason to fail. NULL is implicitly
converted into an empty string, IIRC. You should check for NULL return
on $row, and fail the authentication.
header('WWW-Authenticate: Basic realm="garin"');
header('HTTP/1.0 401 Unauthorized');
echo "Illegal entrance.";
return FALSE;
}
$query='UPDATE garin SET lastlogin=NOW() WHERE username=\'' . $euser .
'\';';
mysql_query($query);
return TRUE;
}
}
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
--
Shachar Shemesh
Open Source integration consultant
Home page & resume - http://www.shemesh.biz/
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]