ID: 32392
Updated by: [EMAIL PROTECTED]
Reported By: lacak at users dot sourceforge dot net
-Status: Open
+Status: Bogus
Bug Type: Feature/Change Request
Operating System: Win
PHP Version: 4.3.10
New Comment:
1. In safemode, you can't.
2. They can't simulate the realm in safemode, but they don't need to.
Adding the user id to the realm means you can't pretend to be them, but
if the user has already visited and logged into that other site and then
visit your site, without even sending an Authenticate header their
browser will send you their Authorization header for the other site
(assuming same domain like example.com/~bob vs. example.com/~joe) and
if you could grab all the request headers you will now have stolen the
user's username and password.
3. This is not a support forum
Previous Comments:
------------------------------------------------------------------------
[2005-03-21 12:38:37] lacak at users dot sourceforge dot net
Please reply ...
------------------------------------------------------------------------
[2005-03-21 11:58:27] lacak at users dot sourceforge dot net
Thank you rasmus, for reply :
1. So how can I use "HTTP Digest Authorization" in PHP script ? (is it
inpossible ? really is no solution, todasy ? or in the future ?)
2. Why is it security problem ? When safe_mode=on, then uid is added to
realm, so other scripts on same shared (ISP) server cannot simulate the
same realm and so steal passwords ?
And at other : when I use "HTTP Basic Authorization", then
$_SERVER["PHP_AUTH_USER"] and $_SERVER["PHP_AUTH_PW"] are set (so may
be steal) when safe_mode=on, but header Authorization is not set.
------------------------------------------------------------------------
[2005-03-21 10:31:21] [EMAIL PROTECTED]
That would allow you to steal passwords from other scripts on the same
shared server which is exactly what safemode is designed to counteract.
So no, this won't change.
------------------------------------------------------------------------
[2005-03-21 09:23:48] lacak at users dot sourceforge dot net
Description:
------------
Help PHP Developers, please, please
if PHP is running as Apache module in safe_mode=on
in result of function apache_request_headers() is not included
Authorization header.
When I use "HTTP Digest Authorization" in my PHP script I cannot
validate clients response, because I can not obtain supplied
Authorization header.
Please change behavior of apache_request_headers(), so it hides
Authorization header only if :
(safe_mode=on) && (AuthType is set to [Basic|Digest] in httpd.conf or
.htaccess)
so only if Apache performs authentication
Please rply ...
Thank you
Reproduce code:
---------------
Sample code :
<?php
$headers=apache_request_headers();
if (isset($headers["Authorization"]) {
print_r($headers);
phpinfo();
exit;
}
if (isset($_SERVER["PHP_AUTH_USER"])) {
echo $_SERVER["PHP_AUTH_USER"].":".$_SERVER["PHP_AUTH_PW"];
print_r(apache_request_headers());
phpinfo();
exit;
}
if (!empty($_SERVER["REMOTE_IDENT"])) {
echo $_SERVER["REMOTE_IDENT"];
print_r(apache_request_headers());
phpinfo();
exit;
}
if (!empty($_SERVER["Authorization"])) {
echo $_SERVER["Authorization"];
print_r(apache_request_headers());
phpinfo();
exit;
}
Header( "HTTP/1.0 401 Unauthorized");
Header( "WWW-Authenticate: Digest realm=\"www.myrealm.com\",
opaque=\"opaque\", nonce=\"nonce\", stale=\"false\", qop=\"auth\"");
print_r(getallheaders());
exit;
?>
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=32392&edit=1
