Vulnerability Development mailing list archives
remote_user and apache
From: David Augros <dave () NRMAIL COM>
Date: Tue, 1 Aug 2000 11:05:13 -0400
Sorry if this is offtopic, but I figure it's close enough to try. Does anybody know how basic http auth is handled (in particular, by apache)? Specifically, I am interested in the env variable 'remote_user' which is inherited by cgi's. How does this get to the cgi from the browser? I know the login/passwd are uuencoded into a single string and sent to the http server, but does httpd get the username by decoding this string, or does a separate (i.e. spoofable) header indicate the username? My interest is in whether the 'remote_user' variable is trustworthy enough to decide that we are dealing with an authenticated user who is not faking his login name. Any insights/pointers are welcome. -- Dave
Current thread:
- remote_user and apache David Augros (Aug 02)
- Re: remote_user and apache Holger van Koll (Aug 02)
- Re: remote_user and apache PCbob - Slobodan miskoviC (Aug 02)
- <Possible follow-ups>
- Re: remote_user and apache Benjamin Elijah Griffin (Aug 03)