Hello everyone!
I am currently using Apache-1.3.14 with php-4.0.4pl1 compiled statically
into it and running on RedHat Linux 6.2 . Apache is configured to do
authentication for certain URLs via a auth_ldap module which is
dynamically loaded when Apache starts.
I noticed that when I access the protected URL, PHP_AUTH_PW will give me
the password for the user who is currently logged to the protected site.
If I recall correctly, earlier versions of PHP4 and PHP3 didn't have
this "feature" .
This "feature" creates a problem when the protected URL is shared by
many parties with each party providing it's own services under the
protected URL as any party would be able to "steal" the
username/password without the end user knowing. The username/password is
used to control who has access to the protected URL and the parties are
not required to make use of the password.
Is there anyway to disable this "feature" or is the disclosure of the
password a bug?
Many thanks for any advice!
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
