Thanks for the response. I basically have an environment analogous to an internal ISP. A lot of corporate users that have the ability to make web pages for the intranet etc. Basically management wants PHP turned off now because a rogue user could potentially gather and store people's passwords just by having a line like this in their web page. I'm looking for a way to not have $_SERVER pass the PHP_AUTH_PW portion at the very minimum, so I can justify to them to turn PHP back on.
I was under the impression that if an external auth method was used that these weren't set, but I guess I was mistaken. Since PHP is being run as a module, Apache basic auth isn't really external.
Thanks.
-Patrick
Yikes, talk about throwing the baby out with the bathwater! You may want to look into the auto_prepend_file php.ini setting. If you really want to do it, you can set it up so that the auto-prepended file unsets those values from $_SERVER so that the scripts can't abuse them.
auto_prepend_file = "/var/www/killPasswords.php"
<?php unset($_SERVER['PHP_AUTH_PW']); ?>
Richard Harb wrote:
Friday, April 30, 2004, 5:37:15 PM, thus was written:
Hi, Even with register globals off isn't it possible to have a webpage like this:
Not sure what you are asking. You can have a webpage like this. And I guess it even does what it should - print the information.
<html> <head> </head>
<h2>Hello, <?php echo $_SERVER['PHP_AUTH_USER']; ?> <p>I know your password is <?php echo $_SERVER['PHP_AUTH_PW']; ?>
<body> </body> <html>
Is there a way to make sure apache doesn't set the $SERVER['PHP_AUTH_PW '] global?
No, there is no way. The docs state that those Superglobals are always set. But I wouldn't necessarily say that this is insecure: A user does not have access to those superglobals, except he managed to sneak in some code onto your server - but then you'd have a problem somewhere else.
register_globals was intended as a shortcut for lazy programming (my biased opinion only!) to automagically have $PHP_AUTH_PW, etc available. That way some user would have been able to set this variable easily, e.g. with a GET request. No way to directly set a superglobal though by conventional means.
Richard
-- paperCrane <Justin Patrin>
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php