[PHP] External authentication and PHP_AUTH_PW containing plain text password
I've tried to search the archives/bug reports/faq's and didn't find any definitive answers on the security issue dealing with the plain text password being kept in PHP_AUTH_PW even when you use external authentication. Since it seems like the developers haven't answered any of the bug reports related to this issue, what has anyone done to remove this security issue of being able to grab user's passwords. It seems in an older version of php you could (to quote the older manual): [Begin quote] Note however that the above does not prevent someone who controls a non-authenticated URL from stealing passwords from authenticated URL's on the same server. The PHP_AUTH_VARS define in php.h can be undefined to make sure that these variables will never be set and thus disable anybody from using mod_php to try to steal passwords. [End quote] Since it seems that variable (PHP_AUTH_VARS) doesn't exist any longer an admin can't use that method any longer. Can someone please mail me what they modified in the code or configured to disable this *feature* of external passwords being kept in PHP_AUTH_PW. I do NOT mind at all disabling PHP authentication entirely since we only use external authentication. Please mail me directly since I'm not on this list. Thanks for your time, Lenny Miceli -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] zlib double free bug and php question.
I've tried to search the archives/bug reports/faq's and didn't find any definitive answers on the zlib Double Free Bug CERT's Advisory CA-2002-07 issue. Even though I didn't compile php with the --with-zlib option when I run strings against the php library I still see zlib information. For example: > strings libphp4.a | grep -i zlib Request error: class file/memory mismatch Zlib So Zlib is still in the libphp4.a library. So does this mean that I could possibly still be vulnerable to the zlib Double Free Bug? Also, if I DO need to compile php with the --with-zlib option I assume I will also need to give it the --with-zlib-dir option. I assume if that zlib install directory does NOT have the bug, then I would be safe from it. I'm asking since I know there's the ext/zlib directory under the php source directory (well at least php v4.0.6) and I'm not sure if the bug exists somewhere in those files. Thanks for any help you can give me on those 2 questions. Please mail me directly since I'm not on this list. Thanks for your time and help, Lenny Miceli -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
