httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <>
Subject Re: How to authorize everyone?
Date Thu, 25 Jul 1996 17:34:13 GMT
On Thu, 25 Jul 1996 wrote:
> >   I am not too concerned about CGI stuff.  As long as it can be done
> >   through mod_php, that is more than enough.
> > 
> > I understand that --- the point was that if (a thinly modified) mod_cgi
> > can do this without requiring any support from the auth machinery, then
> > it seems to me that mod_php should be able to do the same thing.
> Yes, it was easy, as you predicted.  My earlier confusion was completely
> due to me not having done my basic homework on the subject.  I now make
> the auth_user, auth_pw and auth_type available to PHP/FI scripts parsed
> by mod_php, but only if the URI is not authenticated by an external 
> mechanism.  I think that should prevent people from writing scripts that
> try to discover peoples' passwords.

It won't prevent it.  If I control a page at http://foo/nasty/ and the
resources at http://foo/victim/ were authentication-protected with the
realm of "gold", a request to http://foo/nasty/ can be returned with a 401
asking for credentials for realm "gold" and the client will give me the
password it associates with realm "gold" on this server.  This is because
passwords are mapped to tuples of hostname and realm, not full URL and
realm (which is good, because then potentially every auth-protected
resource would have required two accesses).  



View raw message