Hello,
sure I am interested in the mod_perl answer to retrieve the AUTH password.
I am using mod_perl on a x86 sparc with oracle 10, 32 bit client.
If the payload is stored to a harddisk, then it makes sense to encrypt the
payload.
But as said, I do not want to talk about all the reasons, why I prefer this
solution.
Greetings,
Alexander
________________________________________
Von: André Warnier [a...@ice-sa.com]
Gesendet: Dienstag, 15. Mai 2012 23:33
An: mod_perl list
Betreff: Re: AW: AUTH password
alexander.elg...@t-systems.com wrote:
> a...@ice-sa.com wrote:
>> alexander.elg...@t-systems.com wrote:
>>> Hello,
>>>
>>> I am looking for a way to retrieve the AUTH password, without using
>>> mod_rewrite ...
>> I'd be interested in how you would do it, using mod_rewrite.
>> For my personal education..
>
> mod_rewrite is really powerful, you are able to pass any header information
> to any output.
> I just tried the following rule, it just appends the header to the GET
> Request.
>
> RewriteEngine On
> RewriteRule (.*) $1?HTTP_Authorization=%{HTTP:Authorization} [PT]
>
> Or pass it to ENV:
> RewriteRule / - [PT,E=HTTP_Authorization:%{HTTP:Authorization}]
>
> http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html
>
> In PHP you just need a single line to decode it:
> var_dump(base64_decode(str_replace('Basic ', '',
> $_REQUEST['HTTP_Authorization'])));
>
> var_dump(base64_decode(str_replace('Basic ', '',
> $_SERVER['HTTP_Authorization'])));
>
> And please do not talk about security, it is just base64, if there is no SSL,
> anyone in the middle is able to read the password.
>
I gather that this is a very indirect response to my question : you are talking
about HTTP
Basic Authentication. And without SSL, so this is a very insecure environment
(but we did
not know that before).
In that case - one among many possibilities, which is why I was asking - indeed
the
password is "encrypted" (so to speak) and sent over the network as part of the
HTTP
"Authorization" header.
And I gather - which you also did not say - that this is a cgi-bin script, not
a mod_perl
module. So indeed it has a cgi-bin "environment" available to it.
(This is a mod_perl support list, so it is kind of expected that people come
here to ask
mod_perl-specific questions, unless they say otherwise).
So now, about your initial question, does your webserver include mod_perl, and
is your
perl cgi-bin script running under mod_perl ?
I am asking because you did not say, and because the response to your question
is
different, depending on your environment.
Basically :
- if you are not running under mod_perl, as a simple cgi-bin perl script, then
you will
also need mod_rewrite, and code similar to what you show above for PHP.
- if you are running under mod_perl, then your script would have access to some
deeper
things within Apache httpd, and you could do this without mod_rewrite.
And there is a side question too, just by curiosity : if this is such an
insecure
environment, why do you bother encrypting the response (using the user's
password which
everyone can get at anyway) ?
And if this is running under SSL, then also why bother encrypting the response ?
