perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <Alexander.Elg...@t-systems.com>
Subject AW: AW: AW: AW: AUTH password
Date Wed, 16 May 2012 16:34:08 GMT
Nice to know, that people with an academic degree in computer science and a certificate of
IT security are called "script-kiddy" on this mailing list.

--
Deutsche Telekom AG
Seamless ICT Security Infrastructure & Management
im Auftrag T-Systems International GmbH
Dipl. Inf Alexander Elgert
Langwadener Strasse 17
64625 Bensheim
+49 176 22 717 661 (Mobil)
+49 671 83419-12 (Tel)
+49 671 83419-30 (Fax)
E-Mail: alexander.elgert@gmx.de

________________________________________
Von: André Warnier [aw@ice-sa.com]
Gesendet: Mittwoch, 16. Mai 2012 17:07
An: mod_perl list
Betreff: Re: AW: AW: AW: AUTH password

Alexander.Elgert@t-systems.com wrote:
> Thank you, it works.
>
> ------------------------------------------------------------------------------
> # http://perl.apache.org/docs/2.0/api/Apache2/RequestRec.html
> use CGI;
> #use Apache ();
> #use APR::Base64;
> use Apache2::Access ();
> use Apache2::RequestRec ();
> use Apache2::RequestUtil ();
>
> my $q = CGI->new;
> #print $ENV{MOD_PERL_API_VERSION} . "\n";
> #my $r = Apache->request();
> my $r = Apache2::RequestUtil->request(); #httpd.conf # get the global request object
(requires PerlOptions +GlobalRequest)
> $pw = $r->headers_in->{Authorization};
> #$pw =~ s/^Basic //;
> #$pw = APR::Base64::decode($pw);
>
> print $q->header();
> #print "Apache->request: ". $pw . "<br>\n";
>
> (my $rc, $pw)=$r->get_basic_auth_pw;
> print "Apache2 Access get_basic_auth_pw: " . $pw . "<br>\n";
> ----------------------------------------------------------------------------------
>

There you go.

About all the rest, and the obviously unwelcome comments you got before :

Your initial post was very short on details, and sounded like you thought that being able
to get the user's password after a web authentication was a universal truth, via a cgi-bin
"HTTP_AUTHORIZATION" environment value.
That, and you reference to a one-line PHP script command, frankly made it sound like
something coming from a "script-kiddie".

That is why you got these comments related to security, authentication methods, SSL etc..

HTTP headers of a request are not normally available to a cgi-bin script.
CGI environment values are only there if the httpd server (or some other add-on module)
puts them there before running the script. Some of these environment values may be derived
from original HTTP request headers, but the relationship is not one-to-one.
The user's authentication password is certainly not contained in any standard CGI
environment value.
The user's authentication password is only available from a HTTP request header, if the
web authentication method used is HTTP Basic Authentication.  In all other serious web
authentication methods, the password is not transmitted over the net, encrypted or not.
So it is generally not possible for anything running in a webserver, to get to that
password in clear; and rightly so, because people tend to use the same password for any
2-cent web application, as they use to login to their corporate servers.

In other words, if you build your application on the premise that you can get and use the
user's password to encrypt something with it, then your application will not be portable
to any serious context.
Also, if your application has parts running under SSL and parts that don't, then as a
whole it is as insecure as the non-SSL part.  It is the weakest part that determines the
security level, not the strongest part.
The same about implementing security "step by step".  If you start running your
application insecurely, then by the time you make it secure, the user's passwords will
already have been stolen, and can be re-used in the secure version.  Are all users going
to change their passwords then ?

In summary, the code above is good as an exercise for mod_perl.  Is it recommended for any
real application ? certainly not.
Believe it or not, people on this list are only trying to help you, for example in not
writing code that you'll have to rewrite later.

Mime
View raw message