Vulnerability Development mailing list archives

Re: remote_user and apache

From: PCbob - Slobodan miskoviC <Yugoslavia () CANADA COM>
Date: Wed, 2 Aug 2000 09:50:06 -0700

David Augros wrote:

My interest is in whether the 'remote_user' variable is trustworthy
enough to decide that we are dealing with an authenticated user who is
not faking his login name. Any insights/pointers are welcome.


    The remote_user variable is used for browser authentication, and i do
not see any use of spoofing username as server requires password every
time. You are probably thinking that remote user gives you the username on
client machine, which is wrong. So if user is "spoofing" his username he
must "spoof" his password too, which would me he found out someone else's
login data.

    cheer

Current thread:

remote_user and apache David Augros (Aug 02)
- Re: remote_user and apache Holger van Koll (Aug 02)
- Re: remote_user and apache PCbob - Slobodan miskoviC (Aug 02)
- <Possible follow-ups>
- Re: remote_user and apache Benjamin Elijah Griffin (Aug 03)