The code is pretty obvious in sapi/apache/mod_php4.c in the
init_request_info() function.

On Thu, 9 May 2002, Lenny Miceli wrote:

> I've tried to search the archives/bug reports/faq's and didn't find any
> definitive answers on the security issue dealing with the plain text password
> being kept in PHP_AUTH_PW even when you use external authentication.  Since
> it seems like the developers haven't answered any of the bug reports related
> to this issue, what has anyone done to remove this security issue of being
> able to grab user's passwords.  It seems in an older version of php you
> could (to quote the older manual):
> [Begin quote]
> Note however that the above does not prevent someone who controls a
> non-authenticated URL from stealing passwords from authenticated URL's on the
> same server. The PHP_AUTH_VARS define in php.h can be undefined to make sure
> that these variables will never be set and thus disable anybody from using
> mod_php to try to steal passwords.
> [End quote]
> Since it seems that variable (PHP_AUTH_VARS) doesn't exist any longer an
> admin can't use that method any longer.  Can someone please mail me what they
> modified in the code or configured to disable this *feature* of external
> passwords being kept in PHP_AUTH_PW.  I do NOT mind at all disabling PHP
> authentication entirely since we only use external authentication.
> Please mail me directly since I'm not on this list.
> Thanks for your time,
>   Lenny Miceli
> --
> PHP General Mailing List (
> To unsubscribe, visit:

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to