Thread: [cgiwrap-users] php-cgiwrap won't process authentication headers...
Brought to you by:
nneul
Menu
▾
▴
cgiwrap-users
|
From: jeff b. <soi...@sg...> - 2002-05-01 01:40:43
|
my install of php-cgiwrap won't process authentication headers... called
like this:
$realm = "Restricted";
header("WWW-authenticate: basic realm=\"$realm\"") ;
header("HTTP/1.0 401 Unauthorized") ;
Do I have a funky setup or is this a limitation of php-cgiwrap?
The error log shows:
[Tue Apr 30 18:31:43 2002] [error] [client:xx.xx.xx.xx] malformed header
from script. Bad header=HTTP/1.0 401 Unauthorized:
/var/www/cgi-sys/php-cgiwrap
Thanks,
Jeff
|
|
From: Daniel L. <da...@lo...> - 2002-05-01 08:13:00
|
Hi,
your php-cgiwrap is alright. This is a limitation of PHP running in
CGI-mode. Use 'Status:' to make it work:
$realm = "Restricted";
header("WWW-authenticate: basic realm=\"$realm\"") ;
header("Status: 401 Unauthorized");
Daniel Lorch http://daniel.lorch.cc/
----- Original Message -----
From : jeff bert [mailto:soi...@sg...]
Sent : Mittwoch, 1. Mai 2002
Subject: [cgiwrap-users] php-cgiwrap won't process authentication headers...
> my install of php-cgiwrap won't process authentication headers... called
> like this:
> $realm = "Restricted";
> header("WWW-authenticate: basic realm=\"$realm\"") ;
> header("HTTP/1.0 401 Unauthorized") ;
> Do I have a funky setup or is this a limitation of php-cgiwrap?
> The error log shows:
> [Tue Apr 30 18:31:43 2002] [error] [client:xx.xx.xx.xx] malformed header
> from script. Bad header=HTTP/1.0 401 Unauthorized:
> /var/www/cgi-sys/php-cgiwrap
> Thanks,
> Jeff
|
|
From: Nathan N. <nn...@um...> - 2002-05-01 12:40:10
|
Problem is - even with that header, you are not going to be able to do
anything, since the HTTP_AUTHORIZATION header is not provided to CGI's
since it is such a gaping security hole on multi-user servers.
Any malicious user on that server can easily trap that passwords for any
other authenticated service on that server, simply by tricking someone
into going to a different web page on that server.
-- Nathan
Daniel Lorch wrote:
>
> Hi,
>
> your php-cgiwrap is alright. This is a limitation of PHP running in
> CGI-mode. Use 'Status:' to make it work:
>
> $realm = "Restricted";
> header("WWW-authenticate: basic realm=\"$realm\"") ;
> header("Status: 401 Unauthorized");
>
> Daniel Lorch http://daniel.lorch.cc/
>
> ----- Original Message -----
> From : jeff bert [mailto:soi...@sg...]
> Sent : Mittwoch, 1. Mai 2002
> Subject: [cgiwrap-users] php-cgiwrap won't process authentication headers...
>
> > my install of php-cgiwrap won't process authentication headers... called
> > like this:
>
> > $realm = "Restricted";
> > header("WWW-authenticate: basic realm=\"$realm\"") ;
> > header("HTTP/1.0 401 Unauthorized") ;
>
> > Do I have a funky setup or is this a limitation of php-cgiwrap?
>
> > The error log shows:
>
> > [Tue Apr 30 18:31:43 2002] [error] [client:xx.xx.xx.xx] malformed header
> > from script. Bad header=HTTP/1.0 401 Unauthorized:
> > /var/www/cgi-sys/php-cgiwrap
>
> > Thanks,
>
> > Jeff
--
------------------------------------------------------------
Nathan Neulinger EMail: nn...@um...
University of Missouri - Rolla Phone: (573) 341-4841
Computing Services Fax: (573) 341-4216
|
|
From: Daniel L. <da...@lo...> - 2002-05-01 13:28:36
|
Hi, this is only a security problem if all virtual users are on the *same domain*, such as hoster.com/~foo/ hoster.com/~bar/ If user "bar" succeds to hijack users logged in to "foo" he will be able to get user and password from that user. BUT this is only an issue with PHP running as module, as PHP-CGI does *not* set $PHP_AUTH_PW. "The HTTP Authentication hooks in PHP are only available when it is running as an Apache module and is hence not available in the CGI version." http://www.php.net/manual/en/features.http-auth.php You will only be able to find out what user has logged in by looking at $_SERVER['REMOTE_USER']; -daniel ----- Original Message ----- From : Nathan Neulinger [mailto:nn...@um...] Sent : Mittwoch, 1. Mai 2002 Subject: [cgiwrap-users] php-cgiwrap won't process authentication headers... > Problem is - even with that header, you are not going to be able to do > anything, since the HTTP_AUTHORIZATION header is not provided to CGI's > since it is such a gaping security hole on multi-user servers. > Any malicious user on that server can easily trap that passwords for any > other authenticated service on that server, simply by tricking someone > into going to a different web page on that server. > -- Nathan > Daniel Lorch wrote: >> >> Hi, >> >> your php-cgiwrap is alright. This is a limitation of PHP running in >> CGI-mode. Use 'Status:' to make it work: >> >> $realm = "Restricted"; >> header("WWW-authenticate: basic realm=\"$realm\"") ; >> header("Status: 401 Unauthorized"); >> >> Daniel Lorch http://daniel.lorch.cc/ >> >> ----- Original Message ----- >> From : jeff bert [mailto:soi...@sg...] >> Sent : Mittwoch, 1. Mai 2002 >> Subject: [cgiwrap-users] php-cgiwrap won't process authentication headers... >> >> > my install of php-cgiwrap won't process authentication headers... called >> > like this: >> >> > $realm = "Restricted"; >> > header("WWW-authenticate: basic realm=\"$realm\"") ; >> > header("HTTP/1.0 401 Unauthorized") ; >> >> > Do I have a funky setup or is this a limitation of php-cgiwrap? >> >> > The error log shows: >> >> > [Tue Apr 30 18:31:43 2002] [error] [client:xx.xx.xx.xx] malformed header >> > from script. Bad header=HTTP/1.0 401 Unauthorized: >> > /var/www/cgi-sys/php-cgiwrap >> >> > Thanks, >> >> > Jeff |
|
From: Daniel L. <da...@lo...> - 2002-05-01 13:33:35
|
hi, Sorry Nathan, I misunderstood you. Of course you are completely right - this headers are useless as you won't get access to the password set by the HTTP authorization mechanism. You'd have to look out for Apache-based authentication mechanisms. There are plenty of mod_auth_* for all your needs. Once a user has logged in successfuly you can completely rely on the value $_SERVER['REMOTE_USER']; -daniel ----- Original Message ----- From : Nathan Neulinger [mailto:nn...@um...] Sent : Mittwoch, 1. Mai 2002 Subject: [cgiwrap-users] php-cgiwrap won't process authentication headers... > Problem is - even with that header, you are not going to be able to do > anything, since the HTTP_AUTHORIZATION header is not provided to CGI's > since it is such a gaping security hole on multi-user servers. > Any malicious user on that server can easily trap that passwords for any > other authenticated service on that server, simply by tricking someone > into going to a different web page on that server. > -- Nathan |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X