The code is pretty obvious in sapi/apache/mod_php4.c in the init_request_info() function.
On Thu, 9 May 2002, Lenny Miceli wrote: > I've tried to search the archives/bug reports/faq's and didn't find any > definitive answers on the security issue dealing with the plain text password > being kept in PHP_AUTH_PW even when you use external authentication. Since > it seems like the developers haven't answered any of the bug reports related > to this issue, what has anyone done to remove this security issue of being > able to grab user's passwords. It seems in an older version of php you > could (to quote the older manual): > > [Begin quote] > Note however that the above does not prevent someone who controls a > non-authenticated URL from stealing passwords from authenticated URL's on the > same server. The PHP_AUTH_VARS define in php.h can be undefined to make sure > that these variables will never be set and thus disable anybody from using > mod_php to try to steal passwords. > [End quote] > > Since it seems that variable (PHP_AUTH_VARS) doesn't exist any longer an > admin can't use that method any longer. Can someone please mail me what they > modified in the code or configured to disable this *feature* of external > passwords being kept in PHP_AUTH_PW. I do NOT mind at all disabling PHP > authentication entirely since we only use external authentication. > > Please mail me directly since I'm not on this list. > > Thanks for your time, > Lenny Miceli > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
