Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 21051 invoked from network); 6 Feb 2004 21:32:32 -0000 Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12) by minotaur-2.apache.org with SMTP; 6 Feb 2004 21:32:32 -0000 Received: (qmail 99648 invoked by uid 500); 6 Feb 2004 21:31:58 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 99624 invoked by uid 500); 6 Feb 2004 21:31:58 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 99604 invoked from network); 6 Feb 2004 21:31:58 -0000 Received: from unknown (HELO mta7.pltn13.pbi.net) (64.164.98.8) by daedalus.apache.org with SMTP; 6 Feb 2004 21:31:58 -0000 Received: from home.tim.wood.name (adsl-209-233-23-4.dsl.snfc21.pacbell.net [209.233.23.4]) by mta7.pltn13.pbi.net (8.12.10 close 1msg/rcpt/8.12.10) with ESMTP id i16LW37B028886 for ; Fri, 6 Feb 2004 13:32:03 -0800 (PST) Received: (from uucp@localhost) by home.tim.wood.name (8.11.6+Sun/8.11.6) id i16LVHb10814; Fri, 6 Feb 2004 13:31:17 -0800 (PST) Received: from potrzebie.home.tim.wood.name(192.168.127.20) by madera via smap (V2.1) id xma010812; Fri, 6 Feb 04 13:30:48 -0800 Message-Id: <5.2.1.1.1.20040206132437.020ba278@mailhost> X-Sender: timwood@mailhost X-Mailer: QUALCOMM Windows Eudora Version 5.2.1 Date: Fri, 06 Feb 2004 13:30:45 -0800 To: users@httpd.apache.org From: Tim Wood Cc: users@httpd.apache.org In-Reply-To: <4023ECEE.6090308@3times25.net> References: <4023D081.4040904@3times25.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Subject: Re: [users@httpd] do I have access to the user id used in basic authentication? X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N At 11:37 AM 02/06/04, Geoffrey wrote: >>> >> >>Woh. This is terribly insecure and should only be used if you don't >>really care what userid the cgi script sees. The user could bypass >>your html page and supply any userid it wants to the cgi script. > >The cgi script is protected by the basic auth as well. > >The user id is mapped to other data one to many relationship, so it's really not going to get them much. > >I don't really see how it is insecure. You can't get to that page without entering the userid/password in the pop up. If you do, then you already know what is going to be there. Another hole is that if the server uses the ted username to determine authorization, one could log in as user A then POST user B's name to the CGI and run with B's privileges. If the inputted username is informational only, get rid of it and consult the authentication cookie, to avoid confusion like this. >>To make this more secure, you should protect the cgi script itself with >>basic auth and look at the REMOTE_USER env variable inside the cgi script. > >The cgi script that processes the page is protected by basic auth. All this id gets a person is access to read only data. None of the ids are real machine ids. > >Further, the data is not protected by ssl as it's not considered necessary. The risk is that valuable data will someday be placed behind the weak/confused security mechanism. TW --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org