#72 HTTP authentication hoses admin login

User_Authentication
closed
nobody
5
2014-07-29
2001-11-09
No

The admin code uses PHP's HTTP authentication handling
to prompt for a username and password. This does not
work correctly with the web server itself is configured
to enforce HTTP authentication. (In this case, the
password does not get passed to the PHP code.)

Here's an excerpts from a note on phpwiki-talk about
how to work around this problem:

From: Jeff Dairiki <dairiki@dairiki.org>
Cc: phpwiki-talk@lists.sourceforge.net
Subject: Re: [Phpwiki-talk] admin.php 1.2.1 problem
Date: Fri, 9 Nov 2001 11:53:33 -0800

For 1.2.x, I think the solution is to edit admin.php,
and delete or comment out the $adminpasswd checks.

Change:
if (empty($wikiadmin) || empty($adminpasswd)) {
to
if (empty($wikiadmin) / || empty($adminpasswd) /) {

And:
if (($PHP_AUTH_USER != $wikiadmin ) ||
($PHP_AUTH_PW != $adminpasswd)) {
to
if (($PHP_AUTH_USER != $wikiadmin ) / ||
($PHP_AUTH_PW != $adminpasswd)
/ ) {

Also set $wikiadmin to the username who you'd like to
grant admin privileges to. I think (but I'm not
certain --- so this might be a security problem) that
as long as apache is doing the authentication,
$PHP_AUTH_USER will always be set the authenticated
user name.

For 1.3.x, at this point the solution is basically the
same, except you have to edit lib/WikiUser.php.

Comment out or delete line 148:
if (!empty($passwd) && $passwd == ADMIN_PASSWD)
(but leave the next line intact.)

At line 160, change:
if (!defined('ADMIN_USER') ||
!defined('ADMIN_PASSWD')
|| ADMIN_USER == '' || ADMIN_PASSWD =='') {
to
if (!defined('ADMIN_USER') / ||
!defined('ADMIN_PASSWD')
/
|| ADMIN_USER == '' / || ADMIN_PASSWD ==''
/) {

And, as before, set ADMIN_USER (in index.php) to be the
username to whom you want to grant administrative privs.

(I haven't tested this hack with 1.3.x, so if you have
trouble, let me know.)

At some point, we'll stop using HTTP authenication to
gather the username/passwd, and this problem will go
away. But we're not there yet.

Discussion

  • Closing very old bugs.

     
    • status: open --> closed