Re: question about apache

[Bluefish <11a () GMX NET>]

---------- Forwarded message ----------
Date: Tue, 01 Aug 2000 11:05:03 -0400
From: David Augros <dave () nrmail com>
To: Bluefish <11a () gmx net>
Subject: Re: question about apache

Doh. Keep forgetting 'reply' doesn't work for lists. Thanks for your
answer. Resending to list also.

Bluefish wrote:
> Uhm, as far as I can see this mail was posted to me privately?
>
> I suggest you try a test-cgi with ?remote_user=kalle.
> If that doesn't spoof the variable, do some tcpdumping of HTTPD requests
> and look at how it is sent, I don't know for sure if it is trustworthy,
> IIRC the variable remote_location isn't.
>
> ..:::::::::::::::::::::::::::::::::::::::::::::::::..
>      http://www.11a.nu || http://bluefish.11a.nu
>     eleventh alliance development & security team
>
> On Mon, 31 Jul 2000, David Augros wrote:
>
> > Sorry if this is offtopic, but I figure it's close enough to try.
> >
> > Does anybody know how basic http auth is handled (in particular, by
> > apache)? Specifically, I am interested in the env variable 'remote_user'
> > which is inherited by cgi's. How does this get to the cgi from the
> > browser? I know the login/passwd are uuencoded into a single string and
> > sent to the http server, but does httpd get the username by decoding
> > this string, or does a separate (i.e. spoofable) header indicate the
> > username?
> >
> > My interest is in whether the 'remote_user' variable is trustworthy
> > enough to decide that we are dealing with an authenticated user who is
> > not faking his login name. Any insights/pointers are welcome.
> >
> > --
> > Dave