On Thursday 14 August 2003 20:49, Amir Hardon wrote:
> I have a PHP site which uses HTTP user authentication,
> I just noticed something wierd at the logs, I saw someone is accessing with
> username '-', which doesn't exist.
> I tried loging in using username '-' with no password and I was in!
>
> The only thing I can think of is that '-' is a special character for
> strcmp, here is my authentication function(I removed the database
> connection part):
>
> function authenticate(){
> if (!isset($_SERVER['PHP_AUTH_USER'])) {
> header('WWW-Authenticate: Basic realm="garin"');
> header('HTTP/1.0 401 Unauthorized');
> echo 'Illegal entrance';
> return FALSE;
> }
> else {
>
> $euser=mysql_escape_string(htmlspecialchars($_SERVER['PHP_AUTH_USER'],ENT_Q
>UOTES));; $query='SELECT password FROM garin WHERE username=\'' . $euser .
> '\';'; $result = mysql_query($query) or die(mysql_error());
> $row= mysql_fetch_array($result,MYSQL_ASSOC);
>
> if(strcmp(htmlspecialchars($_SERVER['PHP_AUTH_PW'],ENT_QUOTES),$row["passwo
>rd"])
>
The next line was added out of panic, it doesn't exist in the original script,
and another weird thing happened when I added this line, strcmp always
matched.
Is this somekind of a wildcard? for strcmp?
> || (strcmp($euser,mysql_escape_string(htmlspecialchars("-")))) ){
>
> header('WWW-Authenticate: Basic realm="garin"');
> header('HTTP/1.0 401 Unauthorized');
> echo "Illegal entrance.";
> return FALSE;
> }
> $query='UPDATE garin SET lastlogin=NOW() WHERE username=\'' . $euser .
> '\';';
> mysql_query($query);
> return TRUE;
> }
> }
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
