Patrick Hutchinson wrote:

Thanks for the response. I basically have an environment analogous to an internal ISP. A lot of corporate users that have the ability to make web pages for the intranet etc. Basically management wants PHP turned off now because a rogue user could potentially gather and store people's passwords just by having a line like this in their web page. I'm looking for a way to not have $_SERVER pass the PHP_AUTH_PW portion at the very minimum, so I can justify to them to turn PHP back on.

I was under the impression that if an external auth method was used that these weren't set, but I guess I was mistaken. Since PHP is being run as a module, Apache basic auth isn't really external.

Thanks.

-Patrick


Yikes, talk about throwing the baby out with the bathwater! You may want to look into the auto_prepend_file php.ini setting. If you really want to do it, you can set it up so that the auto-prepended file unsets those values from $_SERVER so that the scripts can't abuse them.


auto_prepend_file = "/var/www/killPasswords.php"

<?php
unset($_SERVER['PHP_AUTH_PW']);
?>

Richard Harb wrote:

Friday, April 30, 2004, 5:37:15 PM, thus was written:

Hi, Even with register globals off isn't it possible to have a webpage
like this:



Not sure what you are asking. You can have a webpage like this. And I guess it even does what it should - print the information.


<html>
<head>
</head>



<h2>Hello, <?php echo $_SERVER['PHP_AUTH_USER']; ?>
<p>I know your password is <?php echo $_SERVER['PHP_AUTH_PW']; ?>



<body>
</body>
<html>




Is there a way to make sure apache doesn't set the $SERVER['PHP_AUTH_PW
'] global?



No, there is no way. The docs state that those Superglobals are always set. But I wouldn't necessarily say that this is insecure: A user does not have access to those superglobals, except he managed to sneak in some code onto your server - but then you'd have a problem somewhere else.

register_globals was intended as a shortcut for lazy programming (my
biased opinion only!) to automagically have $PHP_AUTH_PW, etc
available. That way some user would have been able to set this
variable easily, e.g. with a GET request. No way to directly set a
superglobal though by conventional means.

Richard





--
paperCrane <Justin Patrin>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Reply via email to