Vulnerability Development mailing list archives
Re: remote_user and apache
From: Benjamin Elijah Griffin <bgriffin () CDDB COM>
Date: Thu, 3 Aug 2000 11:51:08 -0700
Holger van Koll <holger () VANKOLL DE> wrote:
David Augros wrote:Sorry if this is offtopic, but I figure it's close enough to try. Does anybody know how basic http auth is handled (in particular, by apache)?
In the basic authentification scheme the username and password are arranged as "username:password" then the string is base64 encoded and stuffed into a header as: Authorization: Basic {base64string} Apache checks the string and sets a REMOTE_USER variable for CGIs if the authentication succeeds. REMOTE_USER is not set if the Authorization: header is sent but not needed.
In short: If apache finds any instruction that the accessed page is protected (f.e. a .htaccess file), it asks for username/pwd for every request. The browser also sends it every time again (however it does only prompt you one time).
Nod.
Specifically, I am interested in the env variable 'remote_user'This variable is set by httpd , not sent by the browser (as most others), so...
The headers browsers send are put into environment variables, but always with HTTP_ prepended. The Authorization: header is not put into a variable (even if authentification is not needed).
My interest is in whether the 'remote_user' variable is trustworthy... it´s not easy to forge. A http://somewhere/something.html?remote_user=bla won´t forge it.
If some CGI library hides the difference between CGI args and environment variables, then a <http://somewhere/something.html?REMOTE_USER=bla> could do odd things. In PHP the environment variables are not kept in a seperate namespace from the CGI variables. PHP won't let a CGI variable override the REMOTE_USER variable when authorization is in effect, but if no authorization is needed, then the CGI variable will be set. If you have a page that is password protected from some parts of the internet and not from others, then those other sites could spoof REMOTE_USER, for whatever that gains them. Benjamin
Current thread:
- remote_user and apache David Augros (Aug 02)
- Re: remote_user and apache Holger van Koll (Aug 02)
- Re: remote_user and apache PCbob - Slobodan miskoviC (Aug 02)
- <Possible follow-ups>
- Re: remote_user and apache Benjamin Elijah Griffin (Aug 03)