Vulnerability Development mailing list archives
Re: question about apache
From: "Joshua J. Kugler" <isd () AS UAF EDU>
Date: Wed, 2 Aug 2000 19:33:28 -0800
That would not spoof an environmental variable: the only thing that would do is make the $QUERY_STRING contain "remote_user=kalle". The variable $REMOTE_USER would be unaffected. j----- k-----
Bluefish wrote:Uhm, as far as I can see this mail was posted to me privately? I suggest you try a test-cgi with ?remote_user=kalle. If that doesn't spoof the variable, do some tcpdumping of HTTPD requests and look at how it is sent, I don't know for sure if it is trustworthy, IIRC the variable remote_location isn't. ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team On Mon, 31 Jul 2000, David Augros wrote:Sorry if this is offtopic, but I figure it's close enough to try. Does anybody know how basic http auth is handled (in particular, by apache)? Specifically, I am interested in the env variable 'remote_user' which is inherited by cgi's. How does this get to the cgi from the browser? I know the login/passwd are uuencoded into a single string and sent to the http server, but does httpd get the username by decoding this string, or does a separate (i.e. spoofable) header indicate the username? My interest is in whether the 'remote_user' variable is trustworthy enough to decide that we are dealing with an authenticated user who is not faking his login name. Any insights/pointers are welcome. -- Dave
-- Joshua Kugler ASUAF Information Services Director isd () as uaf edu
Current thread:
- Re: question about apache Bluefish (Aug 02)
- Re: question about apache Joshua J. Kugler (Aug 02)