Nice to know, that people with an academic degree in computer science and a certificate of IT security are called "script-kiddy" on this mailing list.
-- Deutsche Telekom AG Seamless ICT Security Infrastructure & Management im Auftrag T-Systems International GmbH Dipl. Inf Alexander Elgert Langwadener Strasse 17 64625 Bensheim +49 176 22 717 661 (Mobil) +49 671 83419-12 (Tel) +49 671 83419-30 (Fax) E-Mail: alexander.elg...@gmx.de ________________________________________ Von: André Warnier [a...@ice-sa.com] Gesendet: Mittwoch, 16. Mai 2012 17:07 An: mod_perl list Betreff: Re: AW: AW: AW: AUTH password alexander.elg...@t-systems.com wrote: > Thank you, it works. > > ------------------------------------------------------------------------------ > # http://perl.apache.org/docs/2.0/api/Apache2/RequestRec.html > use CGI; > #use Apache (); > #use APR::Base64; > use Apache2::Access (); > use Apache2::RequestRec (); > use Apache2::RequestUtil (); > > my $q = CGI->new; > #print $ENV{MOD_PERL_API_VERSION} . "\n"; > #my $r = Apache->request(); > my $r = Apache2::RequestUtil->request(); #httpd.conf # get the global request > object (requires PerlOptions +GlobalRequest) > $pw = $r->headers_in->{Authorization}; > #$pw =~ s/^Basic //; > #$pw = APR::Base64::decode($pw); > > print $q->header(); > #print "Apache->request: ". $pw . "<br>\n"; > > (my $rc, $pw)=$r->get_basic_auth_pw; > print "Apache2 Access get_basic_auth_pw: " . $pw . "<br>\n"; > ---------------------------------------------------------------------------------- > There you go. About all the rest, and the obviously unwelcome comments you got before : Your initial post was very short on details, and sounded like you thought that being able to get the user's password after a web authentication was a universal truth, via a cgi-bin "HTTP_AUTHORIZATION" environment value. That, and you reference to a one-line PHP script command, frankly made it sound like something coming from a "script-kiddie". That is why you got these comments related to security, authentication methods, SSL etc.. HTTP headers of a request are not normally available to a cgi-bin script. CGI environment values are only there if the httpd server (or some other add-on module) puts them there before running the script. Some of these environment values may be derived from original HTTP request headers, but the relationship is not one-to-one. The user's authentication password is certainly not contained in any standard CGI environment value. The user's authentication password is only available from a HTTP request header, if the web authentication method used is HTTP Basic Authentication. In all other serious web authentication methods, the password is not transmitted over the net, encrypted or not. So it is generally not possible for anything running in a webserver, to get to that password in clear; and rightly so, because people tend to use the same password for any 2-cent web application, as they use to login to their corporate servers. In other words, if you build your application on the premise that you can get and use the user's password to encrypt something with it, then your application will not be portable to any serious context. Also, if your application has parts running under SSL and parts that don't, then as a whole it is as insecure as the non-SSL part. It is the weakest part that determines the security level, not the strongest part. The same about implementing security "step by step". If you start running your application insecurely, then by the time you make it secure, the user's passwords will already have been stolen, and can be re-used in the secure version. Are all users going to change their passwords then ? In summary, the code above is good as an exercise for mod_perl. Is it recommended for any real application ? certainly not. Believe it or not, people on this list are only trying to help you, for example in not writing code that you'll have to rewrite later.
