Re: question about apache

["Joshua J. Kugler" <isd () AS UAF EDU>]

That would not spoof an environmental variable: the only thing that
would do is make the $QUERY_STRING contain "remote_user=kalle".  The
variable $REMOTE_USER would be unaffected.

j----- k-----

> Bluefish wrote:
> > Uhm, as far as I can see this mail was posted to me privately?
> >
> > I suggest you try a test-cgi with ?remote_user=kalle.
> > If that doesn't spoof the variable, do some tcpdumping of HTTPD requests
> > and look at how it is sent, I don't know for sure if it is trustworthy,
> > IIRC the variable remote_location isn't.
> >
> > ..:::::::::::::::::::::::::::::::::::::::::::::::::..
> >      http://www.11a.nu || http://bluefish.11a.nu
> >     eleventh alliance development & security team
> >
> > On Mon, 31 Jul 2000, David Augros wrote:
> >
> > > Sorry if this is offtopic, but I figure it's close enough to try.
> > >
> > > Does anybody know how basic http auth is handled (in particular, by
> > > apache)? Specifically, I am interested in the env variable 'remote_user'
> > > which is inherited by cgi's. How does this get to the cgi from the
> > > browser? I know the login/passwd are uuencoded into a single string and
> > > sent to the http server, but does httpd get the username by decoding
> > > this string, or does a separate (i.e. spoofable) header indicate the
> > > username?
> > >
> > > My interest is in whether the 'remote_user' variable is trustworthy
> > > enough to decide that we are dealing with an authenticated user who is
> > > not faking his login name. Any insights/pointers are welcome.
> > >
> > > --
> > > Dave

--
Joshua Kugler
ASUAF Information Services Director
isd () as uaf edu