ID: 8827
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Open
Bug Type: Feature/Change Request
Operating System: Redhat Linux 6.2
PHP Version: 4.0.4pl1
New Comment:
I believe this was fixed in 4.3.0, can someone confirm (Jani)?
Previous Comments:
------------------------------------------------------------------------
[2001-06-10 15:22:07] [EMAIL PROTECTED]
I understand about the raw headers. Which is why I am suggesting if it
would be possible to have an administrator configurable flag to
enable/disable PHP storing the password in PHP_AUTH_PW .
Assumung that the web server only runs PHP with no CGI and such, it
would be pretty difficult(?) for unauthorised users to extract the
password from the raw headers. But PHP happily stores it in a variable
and allows any programmer to access it.
Thanks!
------------------------------------------------------------------------
[2001-06-09 23:52:43] [EMAIL PROTECTED]
This is the correct behaviour the information is avalible via the raw
headers anyway.
- James
------------------------------------------------------------------------
[2001-04-28 23:09:00] [EMAIL PROTECTED]
Isn't this going to be a big security problem for portal sites using
PHP which have a common user base and separate groups of developers
developing and selling online service?
As a malicious group of developers would be able to capture the
password and assume the identity of the user and go around
"patronising" other services.
How about having a general configuration parameter that disables the
storage of the password in PHP_AUTH_PW and HTTP_RAW_HEADERS without
having the need for PHP to autodetect for external authentications?
Something like a STORE_PASSWORD = false flag in php.ini which the
administrator needs to manually set to on or off.
Thanks!
------------------------------------------------------------------------
[2001-04-28 16:12:30] [EMAIL PROTECTED]
This is the expected behaviour now.
HTTP_RAW_HEADERS holds the same information anyway.
- James
------------------------------------------------------------------------
[2001-04-17 04:53:29] [EMAIL PROTECTED]
I am currently running with safe_modes enabled but the password is
still retrievable via the PHP_AUTH_PW variable when using external
authentications.
Thanks!
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/8827
--
Edit this bug report at http://bugs.php.net/?id=8827&edit=1
