RE: Re[2]: [cgiwrap-users] php-cgiwrap won't process authentication headers...
Brought to you by:
nneul
Menu
▾
▴
RE: Re[2]: [cgiwrap-users] php-cgiwrap won't process authentication headers...
|
From: Neulinger, N. <nn...@um...> - 2002-05-01 13:31:25
|
That's true... forgot that most of these are vhosting.=20 -- Nathan ------------------------------------------------------------ Nathan Neulinger EMail: nn...@um... University of Missouri - Rolla Phone: (573) 341-4841 Computing Services Fax: (573) 341-4216 > -----Original Message----- > From: Daniel Lorch [mailto:da...@lo...]=20 > Sent: Wednesday, May 01, 2002 8:29 AM > To: Neulinger, Nathan > Cc: jeff bert; cgi...@li... > Subject: Re[2]: [cgiwrap-users] php-cgiwrap won't process=20 > authentication headers... >=20 >=20 > Hi, >=20 > this is only a security problem if all virtual users are on the > *same domain*, such as >=20 > hoster.com/~foo/ > hoster.com/~bar/ > =20 > If user "bar" succeds to hijack users logged in to "foo" he will be > able to get user and password from that user. >=20 > BUT this is only an issue with PHP running as module, as PHP-CGI does > *not* set $PHP_AUTH_PW. >=20 > "The HTTP Authentication hooks in PHP are only available when it is > running as an Apache module and is hence not available in the CGI > version." > http://www.php.net/manual/en/features.http-auth.php >=20 > You will only be able to find out what user has logged in by looking > at $_SERVER['REMOTE_USER']; > =20 > -daniel >=20 > ----- Original Message ----- > From : Nathan Neulinger [mailto:nn...@um...] > Sent : Mittwoch, 1. Mai 2002 > Subject: [cgiwrap-users] php-cgiwrap won't process=20 > authentication headers... >=20 > > Problem is - even with that header, you are not going to be=20 > able to do > > anything, since the HTTP_AUTHORIZATION header is not=20 > provided to CGI's > > since it is such a gaping security hole on multi-user servers. >=20 > > Any malicious user on that server can easily trap that=20 > passwords for any > > other authenticated service on that server, simply by=20 > tricking someone > > into going to a different web page on that server. >=20 > > -- Nathan >=20 > > Daniel Lorch wrote: > >>=20 > >> Hi, > >>=20 > >> your php-cgiwrap is alright. This is a limitation of PHP running in > >> CGI-mode. Use 'Status:' to make it work: > >>=20 > >> $realm =3D "Restricted"; > >> header("WWW-authenticate: basic realm=3D\"$realm\"") ; > >> header("Status: 401 Unauthorized"); > >>=20 > >> Daniel Lorch http://daniel.lorch.cc/ > >>=20 > >> ----- Original Message ----- > >> From : jeff bert [mailto:soi...@sg...] > >> Sent : Mittwoch, 1. Mai 2002 > >> Subject: [cgiwrap-users] php-cgiwrap won't process=20 > authentication headers... > >>=20 > >> > my install of php-cgiwrap won't process authentication=20 > headers... called > >> > like this: > >>=20 > >> > $realm =3D "Restricted"; > >> > header("WWW-authenticate: basic realm=3D\"$realm\"") ; > >> > header("HTTP/1.0 401 Unauthorized") ; > >>=20 > >> > Do I have a funky setup or is this a limitation of php-cgiwrap? > >>=20 > >> > The error log shows: > >>=20 > >> > [Tue Apr 30 18:31:43 2002] [error] [client:xx.xx.xx.xx]=20 > malformed header > >> > from script. Bad header=3DHTTP/1.0 401 Unauthorized: > >> > /var/www/cgi-sys/php-cgiwrap > >>=20 > >> > Thanks, > >>=20 > >> > Jeff >=20 >=20 >=20 |
