ID: 32392
User updated by: lacak at users dot sourceforge dot net
Reported By: lacak at users dot sourceforge dot net
Status: Bogus
Bug Type: Feature/Change Request
Operating System: Win
PHP Version: 4.3.10
New Comment:
Thank you very much.
I know, that it is not a support forum, but I am looking for a
solution, that could be useful
also for other PHP users.
"HTTP Basic Authorization" sends password only base64 encoded, and may
be
easily stolen.
but
"HTTP Digest Authorization" sends password 'md5 hashed', so for other
script
it is much more harder to steal or gain it.
Wouldn´t it be possible to add in PHP support the Digest Authorization
for example in a form $_SERVER["PHP_AUTH_DIGEST"], where the header
from HTTP
Response would be added if 'Authorization: Digest ...' is used (similar
as the 'Authorization:
Basic ...' in $_SERVER["PHP_AUTH_USER"] and $_SERVER["PHP_AUTH_PW"]
even when
safe_mode=On)
1.PHP must parse HTTP header.
2. When it finds Authorization: Basic then fill up
$_SERVER["PHP_AUTH_USER"] and $_SERVER["PHP_AUTH_PW"]
3. add next condition When it finds Authorization: Digest then fill
$_SERVER["PHP_AUTH_DIGEST"]
(I think, that it takes only few lines of source code ?)
Or different way
if safe_mode=On then
HTTP Authorization header is never included in
apache_request_headers(),
but $_SERVER["PHP_AUTH_*"] are set up so script may validate username
and
password ...
so the same logic could be taken for function apache_request_headers(),
already used
when constructing $_SERVER["PHP_AUTH_*"]
Thank you very much for your time and effort.
Please reply.
Laco
Previous Comments:
------------------------------------------------------------------------
[2005-03-21 16:14:27] [EMAIL PROTECTED]
1. In safemode, you can't.
2. They can't simulate the realm in safemode, but they don't need to.
Adding the user id to the realm means you can't pretend to be them, but
if the user has already visited and logged into that other site and then
visit your site, without even sending an Authenticate header their
browser will send you their Authorization header for the other site
(assuming same domain like example.com/~bob vs. example.com/~joe) and
if you could grab all the request headers you will now have stolen the
user's username and password.
3. This is not a support forum
------------------------------------------------------------------------
[2005-03-21 12:38:37] lacak at users dot sourceforge dot net
Please reply ...
------------------------------------------------------------------------
[2005-03-21 11:58:27] lacak at users dot sourceforge dot net
Thank you rasmus, for reply :
1. So how can I use "HTTP Digest Authorization" in PHP script ? (is it
inpossible ? really is no solution, todasy ? or in the future ?)
2. Why is it security problem ? When safe_mode=on, then uid is added to
realm, so other scripts on same shared (ISP) server cannot simulate the
same realm and so steal passwords ?
And at other : when I use "HTTP Basic Authorization", then
$_SERVER["PHP_AUTH_USER"] and $_SERVER["PHP_AUTH_PW"] are set (so may
be steal) when safe_mode=on, but header Authorization is not set.
------------------------------------------------------------------------
[2005-03-21 10:31:21] [EMAIL PROTECTED]
That would allow you to steal passwords from other scripts on the same
shared server which is exactly what safemode is designed to counteract.
So no, this won't change.
------------------------------------------------------------------------
[2005-03-21 09:23:48] lacak at users dot sourceforge dot net
Description:
------------
Help PHP Developers, please, please
if PHP is running as Apache module in safe_mode=on
in result of function apache_request_headers() is not included
Authorization header.
When I use "HTTP Digest Authorization" in my PHP script I cannot
validate clients response, because I can not obtain supplied
Authorization header.
Please change behavior of apache_request_headers(), so it hides
Authorization header only if :
(safe_mode=on) && (AuthType is set to [Basic|Digest] in httpd.conf or
.htaccess)
so only if Apache performs authentication
Please rply ...
Thank you
Reproduce code:
---------------
Sample code :
<?php
$headers=apache_request_headers();
if (isset($headers["Authorization"]) {
print_r($headers);
phpinfo();
exit;
}
if (isset($_SERVER["PHP_AUTH_USER"])) {
echo $_SERVER["PHP_AUTH_USER"].":".$_SERVER["PHP_AUTH_PW"];
print_r(apache_request_headers());
phpinfo();
exit;
}
if (!empty($_SERVER["REMOTE_IDENT"])) {
echo $_SERVER["REMOTE_IDENT"];
print_r(apache_request_headers());
phpinfo();
exit;
}
if (!empty($_SERVER["Authorization"])) {
echo $_SERVER["Authorization"];
print_r(apache_request_headers());
phpinfo();
exit;
}
Header( "HTTP/1.0 401 Unauthorized");
Header( "WWW-Authenticate: Digest realm=\"www.myrealm.com\",
opaque=\"opaque\", nonce=\"nonce\", stale=\"false\", qop=\"auth\"");
print_r(getallheaders());
exit;
?>
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=32392&edit=1
