Vulnerability Development mailing list archives

Re: remote_user and apache

From: Benjamin Elijah Griffin <bgriffin () CDDB COM>
Date: Thu, 3 Aug 2000 11:51:08 -0700

Holger van Koll <holger () VANKOLL DE> wrote:

David Augros wrote:

Sorry if this is offtopic, but I figure it's close enough to try.

Does anybody know how basic http auth is handled (in particular, by
apache)?


In the basic authentification scheme the username and password
are arranged as "username:password" then the string is base64
encoded and stuffed into a header as:

        Authorization: Basic {base64string}

Apache checks the string and sets a REMOTE_USER variable for
CGIs if the authentication succeeds. REMOTE_USER is not set
if the Authorization: header is sent but not needed.

In short: If apache finds any instruction that the accessed page is
protected (f.e. a .htaccess file),
it asks for username/pwd for every request. The browser also sends it
every time again
(however it does only prompt you one time).


Nod.

Specifically, I am interested in the env variable 'remote_user'

This variable is set by httpd , not sent by the browser (as most
others), so...


The headers browsers send are put into environment variables, but
always with HTTP_ prepended. The Authorization: header is not put
into a variable (even if authentification is not needed).

My interest is in whether the 'remote_user' variable is trustworthy

... it´s not easy to forge. A
http://somewhere/something.html?remote_user=bla won´t forge it.


If some CGI library hides the difference between CGI args and
environment variables, then a
<http://somewhere/something.html?REMOTE_USER=bla> could do odd
things.

In PHP the environment variables are not kept in a seperate
namespace from the CGI variables. PHP won't let a CGI variable
override the REMOTE_USER variable when authorization is in
effect, but if no authorization is needed, then the CGI variable
will be set.

If you have a page that is password protected from some parts
of the internet and not from others, then those other sites
could spoof REMOTE_USER, for whatever that gains them.

Benjamin

Current thread:

remote_user and apache David Augros (Aug 02)
- Re: remote_user and apache Holger van Koll (Aug 02)
- Re: remote_user and apache PCbob - Slobodan miskoviC (Aug 02)
- <Possible follow-ups>
- Re: remote_user and apache Benjamin Elijah Griffin (Aug 03)