Vulnerability Development mailing list archives
Re: question about apache
From: Bluefish <11a () GMX NET>
Date: Wed, 2 Aug 2000 20:03:06 +0200
---------- Forwarded message ---------- Date: Tue, 01 Aug 2000 11:05:03 -0400 From: David Augros <dave () nrmail com> To: Bluefish <11a () gmx net> Subject: Re: question about apache Doh. Keep forgetting 'reply' doesn't work for lists. Thanks for your answer. Resending to list also. Bluefish wrote:
Uhm, as far as I can see this mail was posted to me privately? I suggest you try a test-cgi with ?remote_user=kalle. If that doesn't spoof the variable, do some tcpdumping of HTTPD requests and look at how it is sent, I don't know for sure if it is trustworthy, IIRC the variable remote_location isn't. ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team On Mon, 31 Jul 2000, David Augros wrote:Sorry if this is offtopic, but I figure it's close enough to try. Does anybody know how basic http auth is handled (in particular, by apache)? Specifically, I am interested in the env variable 'remote_user' which is inherited by cgi's. How does this get to the cgi from the browser? I know the login/passwd are uuencoded into a single string and sent to the http server, but does httpd get the username by decoding this string, or does a separate (i.e. spoofable) header indicate the username? My interest is in whether the 'remote_user' variable is trustworthy enough to decide that we are dealing with an authenticated user who is not faking his login name. Any insights/pointers are welcome. -- Dave
Current thread:
- Re: question about apache Bluefish (Aug 02)
- Re: question about apache Joshua J. Kugler (Aug 02)