Bug #37970 [Com]: PHP_AUTH_PW and PHP_AUTH_USER are being exposed

schmidt at holzlandbecker dot de Thu, 24 Jan 2013 04:13:20 -0800

Edit report at https://bugs.php.net/bug.php?id=37970&edit=1


 ID:                 37970
 Comment by:         schmidt at holzlandbecker dot de
 Reported by:        ct at swin dot edu dot au
 Summary:            PHP_AUTH_PW and  PHP_AUTH_USER are being exposed
 Status:             Not a bug
 Type:               Bug
 Package:            Unknown/Other Function
 Operating System:   Linux
 PHP Version:        5.1.4
 Block user comment: N
 Private report:     N

 New Comment:

what _exactly_ does set this PHP_AUTH_PW variable for php global variable 
$_SERVER?
what is it for?
why is it called PHP_AUTH_*?
what does the browser do, for this variable to be forever in $_SESSION?

as i can reproduce this with (apache kerberos login + php 5.3.3) curl, firefox, 
chrome and ms-ie, i would like to know what are those "browsers" doing wrong.


Previous Comments:
------------------------------------------------------------------------
[2006-06-30 07:48:49] [email protected]

Please direct your complaints to the developers of your browser, since your 
_BROWSER_ sends login/password pair and it has *nothing* to do with PHP.


------------------------------------------------------------------------
[2006-06-30 04:52:59] ct at swin dot edu dot au

Description:
------------
PHP_AUTH_PW and PHP_AUTH_USER are exposed to other scripts running in a shared 
host environment.

Reproduce code:
---------------
user1 has a PHP web page http://www.example.com/~user1 that uses external 
authentication via Apache basic authentication.

/home/user1/public_html/.htaccess

AuthType Basic
AuthName "This is a test"
AuthUserfile /home/user1/public_html/.htpasswd
Require valid-user

user2 has a PHP page http://www.example.com/~user2 that prints out $_SERVER

A user visits http://www.example.com/~user1 (No trailing slash) and enters 
their username/password entered in popup window.

The user then visits http://www.example.com/~user2.  Their password is then 
exposed to this script.

This does not happen if the URL of the page asking for authentication has an 
appended slash. Eg. http://www.example.com/~user/.




Expected result:
----------------
PHP_AUTH_USER and PHP_AUTH_PW should not be exposed to other users scripts on a 
shared host. 

Actual result:
--------------
PHP_AUTH_USER and PHP_AUTH_PW are exposed to script even when safe_mode is 
enabled.


------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=37970&edit=1

Bug #37970 [Com]: PHP_AUTH_PW and PHP_AUTH_USER are being exposed

Reply via email to