httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: [users@httpd] do I have access to the user id used in basic authentication?
Date Fri, 06 Feb 2004 18:18:04 GMT

On Fri, 6 Feb 2004, Geoffrey wrote:
> The initial page is static html, but it's a form that's processed by
> perl.  Here's my solution using server side includes, since I wanted to
> be able to pass the value as an input to the cgi:
>
> <input type="hidden" name="userid"
> value="<!--#echo var="REMOTE_USER"-->">
>
> I wrapped it to fit the email, but in the code, it was all on one line.
>
> Which produces the following in the html nicely:
>
> <input type="hidden" name="userid" value="esoteric">

Woh.  This is terribly insecure and should only be used if you don't
really care what userid the cgi script sees.  The user could bypass
your html page and supply any userid it wants to the cgi script.

To make this more secure, you should protect the cgi script itself with
basic auth and look at the REMOTE_USER env variable inside the cgi script.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message