From: [EMAIL PROTECTED] Operating system: SuSE Linux 7.x PHP version: 4.1.2 PHP Bug Type: Apache related Bug description: $PHP_AUTH_PW accessible when authentication is done by Apache
This bug is security related. The password of any user which is authenticated via Apache is still accessible through $PHP_AUTH_PW to any user who is able to execute php-scripts. I'm using mod_auth_samba to authenticate users with their windows-passwords. http://www.php.net/manual/en/features.http-auth.php states, that "In order to prevent someone from writing a script which reveals the password for a page that was authenticated through a traditional external mechanism, the PHP_AUTH variables will not be set if external authentication is enabled for that particular page. In this case, the $REMOTE_USER variable can be used to identify the externally-authenticated user. Configuration Note: PHP uses the presence of an AuthType directive to determine whether external authentication is in effect. Remember to avoid this directive for the context where you want to use PHP authentication (otherwise each authentication attempt will fail)." Unless I'm completely mistaken, $PHP_AUTH_USER and $PHP_AUTH_PW are set, regardless of the existence of the 'AuthType'-directive. ________________________________________________________ testme.php: <?=$PHP_AUTH_USER?> <br> <?=$PHP_AUTH_PW?> <br> <?=$REMOTE_USER?> Configuration: --------------- * SuSE Linux 7.3 * Apache 1.3.23: ... <Location "/testme.php"> AuthType Basic Options FollowSymLinks AllowOverride None AuthSambaEnabled On AuthAuthoritative On AuthName "php_auth_pw Test" AuthSambaDomain tiwag:exchange,hvntsna require valid-user Order Allow,Deny Allow from all </Location> ... Compile options: LIBS="/lib/security/pam_smb_auth.so -lpam /usr/lib/libdbm.so" \ ./configure --prefix=/usr/local/apache \ --add-module=src/modules/extra/mod_auth_samba.c \ --enable-module=access \ --enable-module=actions \ --enable-module=alias \ --enable-module=asis \ --enable-module=auth \ --enable-module=auth_digest \ --enable-module=autoindex \ --enable-module=cgi \ --enable-module=dir \ --enable-module=env \ --enable-module=expires \ --enable-module=headers \ --enable-module=imap \ --enable-module=include \ --enable-module=info \ --enable-module=log_config \ --enable-module=mime \ --enable-module=mime_magic \ --enable-module=negotiation \ --enable-module=setenvif \ --enable-module=so \ --enable-module=speling \ --enable-module=ssl \ --enable-module=status \ --enable-module=userdir \ --server-uid=httpd \ --server-gid=httpd \ --with-perl=/usr/bin/perl * PHP 4.1.2 Compile options: ./configure --prefix=/usr/local/php \ --with-apxs=/usr/local/apache/bin/apxs \ --enable-magic-quotes \ --with-bz2 \ --with-java=/usr/lib/java \ --with-mcrypt \ --enable-mailparse \ --with-mysql=/usr/local/mysql \ --with-ncurses \ --with-pdflib=/usr/lib \ --with-mm=/usr/lib \ --enable-sockets \ --enable-trans-sid \ --enable-memory-limit \ --enable-shared \ --enable-static \ --enable-tsrm-pthreads \ --with-gnu-ld -- Edit bug report at http://bugs.php.net/?id=16653&edit=1 -- Fixed in CVS: http://bugs.php.net/fix.php?id=16653&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=16653&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=16653&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=16653&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=16653&r=support Expected behavior: http://bugs.php.net/fix.php?id=16653&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=16653&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=16653&r=submittedtwice
