[[ apologies if this is not the place to raise this ]] We have a problem with our apache/PHP4 web server in that it seems to be making users passwords available as PHP_AUTH_PW - even though we are using external authentication (mod_auth_samba). Hunting the php bug database turns up two reports (ID# 7774 and ID# 8827) and (as far as I can see) no fixes. Having a dig around in the code we think the problem is line 397 of mod_php4.c : -------------------------------- if (authorization /* && !auth_type(r) */ <----- **** line 397 **** && !strcmp(getword(r->pool, &authorization, ' '), "Basic")) { tmp = uudecode(r->pool, authorization); SG(request_info).auth_user = getword_nulls_nc(r->pool, &tmp, ':'); if (SG(request_info).auth_user) { SG(request_info).auth_user = estrdup(SG(request_info).auth_user); } SG(request_info).auth_password = tmp; if (SG(request_info).auth_password) { SG(request_info).auth_password = estrdup(SG(request_info).auth_password); } } else { SG(request_info).auth_user = NULL; SG(request_info).auth_password = NULL; } -------------------------------- Uncommenting the line "&& !auth_type(r)" seems to cure the problem in my quick test but before I roll this into service can someone who knows php and the apache API better than me comment please! I am a little concerned that I am missing some horrible side effect of uncommenting this - after all, someone commented it out as looking at an old source tree (4.0b2 I think) I can see that the check was there. It had been commented out by version 4.0.1pl1. Have I missed something here or is this the fix (my C is a little rusty to say the least! :-). Why was this commented out (I suspect a test release that "escaped") Any clues? This is fairly urgent as I presents somewhat of a security hole on our web server!! Thanks, -- Darren Chapman Senior Computing Officer University of Kent, Canterbury, England -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]