Vulnerability Development mailing list archives
Re: remote_user and apache
From: PCbob - Slobodan miskoviC <Yugoslavia () CANADA COM>
Date: Wed, 2 Aug 2000 09:50:06 -0700
David Augros wrote:
My interest is in whether the 'remote_user' variable is trustworthy enough to decide that we are dealing with an authenticated user who is not faking his login name. Any insights/pointers are welcome.
The remote_user variable is used for browser authentication, and i do not see any use of spoofing username as server requires password every time. You are probably thinking that remote user gives you the username on client machine, which is wrong. So if user is "spoofing" his username he must "spoof" his password too, which would me he found out someone else's login data. cheer
Current thread:
- remote_user and apache David Augros (Aug 02)
- Re: remote_user and apache Holger van Koll (Aug 02)
- Re: remote_user and apache PCbob - Slobodan miskoviC (Aug 02)
- <Possible follow-ups>
- Re: remote_user and apache Benjamin Elijah Griffin (Aug 03)