Edit report at https://bugs.php.net/bug.php?id=37970&edit=1
ID: 37970 Comment by: schmidt at holzlandbecker dot de Reported by: ct at swin dot edu dot au Summary: PHP_AUTH_PW and PHP_AUTH_USER are being exposed Status: Not a bug Type: Bug Package: Unknown/Other Function Operating System: Linux PHP Version: 5.1.4 Block user comment: N Private report: N New Comment: typo: what does the browser do, for this variable to be forever in $_SERVER? Previous Comments: ------------------------------------------------------------------------ [2013-01-24 12:13:03] schmidt at holzlandbecker dot de what _exactly_ does set this PHP_AUTH_PW variable for php global variable $_SERVER? what is it for? why is it called PHP_AUTH_*? what does the browser do, for this variable to be forever in $_SESSION? as i can reproduce this with (apache kerberos login + php 5.3.3) curl, firefox, chrome and ms-ie, i would like to know what are those "browsers" doing wrong. ------------------------------------------------------------------------ [2006-06-30 07:48:49] [email protected] Please direct your complaints to the developers of your browser, since your _BROWSER_ sends login/password pair and it has *nothing* to do with PHP. ------------------------------------------------------------------------ [2006-06-30 04:52:59] ct at swin dot edu dot au Description: ------------ PHP_AUTH_PW and PHP_AUTH_USER are exposed to other scripts running in a shared host environment. Reproduce code: --------------- user1 has a PHP web page http://www.example.com/~user1 that uses external authentication via Apache basic authentication. /home/user1/public_html/.htaccess AuthType Basic AuthName "This is a test" AuthUserfile /home/user1/public_html/.htpasswd Require valid-user user2 has a PHP page http://www.example.com/~user2 that prints out $_SERVER A user visits http://www.example.com/~user1 (No trailing slash) and enters their username/password entered in popup window. The user then visits http://www.example.com/~user2. Their password is then exposed to this script. This does not happen if the URL of the page asking for authentication has an appended slash. Eg. http://www.example.com/~user/. Expected result: ---------------- PHP_AUTH_USER and PHP_AUTH_PW should not be exposed to other users scripts on a shared host. Actual result: -------------- PHP_AUTH_USER and PHP_AUTH_PW are exposed to script even when safe_mode is enabled. ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=37970&edit=1
