Re[2]: [cgiwrap-users] php-cgiwrap won't process authentication headers...
Brought to you by:
nneul
Menu
▾
▴
Re[2]: [cgiwrap-users] php-cgiwrap won't process authentication headers...
|
From: Daniel L. <da...@lo...> - 2002-05-01 13:28:36
|
Hi, this is only a security problem if all virtual users are on the *same domain*, such as hoster.com/~foo/ hoster.com/~bar/ If user "bar" succeds to hijack users logged in to "foo" he will be able to get user and password from that user. BUT this is only an issue with PHP running as module, as PHP-CGI does *not* set $PHP_AUTH_PW. "The HTTP Authentication hooks in PHP are only available when it is running as an Apache module and is hence not available in the CGI version." http://www.php.net/manual/en/features.http-auth.php You will only be able to find out what user has logged in by looking at $_SERVER['REMOTE_USER']; -daniel ----- Original Message ----- From : Nathan Neulinger [mailto:nn...@um...] Sent : Mittwoch, 1. Mai 2002 Subject: [cgiwrap-users] php-cgiwrap won't process authentication headers... > Problem is - even with that header, you are not going to be able to do > anything, since the HTTP_AUTHORIZATION header is not provided to CGI's > since it is such a gaping security hole on multi-user servers. > Any malicious user on that server can easily trap that passwords for any > other authenticated service on that server, simply by tricking someone > into going to a different web page on that server. > -- Nathan > Daniel Lorch wrote: >> >> Hi, >> >> your php-cgiwrap is alright. This is a limitation of PHP running in >> CGI-mode. Use 'Status:' to make it work: >> >> $realm = "Restricted"; >> header("WWW-authenticate: basic realm=\"$realm\"") ; >> header("Status: 401 Unauthorized"); >> >> Daniel Lorch http://daniel.lorch.cc/ >> >> ----- Original Message ----- >> From : jeff bert [mailto:soi...@sg...] >> Sent : Mittwoch, 1. Mai 2002 >> Subject: [cgiwrap-users] php-cgiwrap won't process authentication headers... >> >> > my install of php-cgiwrap won't process authentication headers... called >> > like this: >> >> > $realm = "Restricted"; >> > header("WWW-authenticate: basic realm=\"$realm\"") ; >> > header("HTTP/1.0 401 Unauthorized") ; >> >> > Do I have a funky setup or is this a limitation of php-cgiwrap? >> >> > The error log shows: >> >> > [Tue Apr 30 18:31:43 2002] [error] [client:xx.xx.xx.xx] malformed header >> > from script. Bad header=HTTP/1.0 401 Unauthorized: >> > /var/www/cgi-sys/php-cgiwrap >> >> > Thanks, >> >> > Jeff |
