ID: 42347 Updated by: [EMAIL PROTECTED] Reported By: c dot i dot morris at durham dot ac dot uk -Status: Open +Status: Wont fix Bug Type: Safe Mode/open_basedir Operating System: Linux+Apache PHP Version: 4.4.7 New Comment:
We are sorry, but we can not support PHP 4 related problems anymore. Momentum is gathering for PHP 6, and we think supporting PHP 4 will lead to a waste of resources which we want to put into getting PHP 6 ready. Previous Comments: ------------------------------------------------------------------------ [2007-08-20 10:48:59] c dot i dot morris at durham dot ac dot uk Description: ------------ In safe mode, the PHP_AUTH_PW variable is not available to users if the authorisation was handled by Apache rather than PHP (e.g. Apache's various mod_auth_*). This correctly prevents users from reading the passwords from a central user database simply by getting a logged-in user to view their page. However, the HTTP Authorization header is not similarly filtered out in safe_mode, allowing a malicious user to use the code below to read other users' passwords. This definitely affects apache_request_headers() - if there are any other functions also allowing reading of HTTP request headers, they should also be checked. Reproduce code: --------------- <?php // in a directory with Basic auth via Apache configuration $headers = apache_request_headers(); $auth = substr($headers['Authorization'],6); $up = base64_decode($auth); print($up); ?> Expected result: ---------------- Should not print anything. Actual result: -------------- Prints username and password of authenticated user ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=42347&edit=1
