If you are improving applications, and want to stay compatible to old code, it
is needed to do small steps.
Do it just a little better in any step.
If you introduce new features, in an complex environment you can't do all at
once.
Sometimes adding encryption is not needed, but the decision to encrypt or not
encrypt may change. It is simpler to explain an application, if you say "all
the data is encrypted and stored encrypted on the harddisk, without a breach in
the chain".
The application uses SSL and non-SSL. Adding a encryption adds only a little
bit more security, but it is a step.
It is really annoying to see all these questions, which suggest a complete
rewrite.
Sure, I can do.
--
Deutsche Telekom AG
Seamless ICT Security Infrastructure & Management
im Auftrag T-Systems International GmbH
Dipl. Inf Alexander Elgert
Langwadener Strasse 17
64625 Bensheim
+49 176 22 717 661 (Mobil)
+49 671 83419-12 (Tel)
+49 671 83419-30 (Fax)
E-Mail: alexander.elg...@gmx.de
________________________________________
Von: André Warnier [a...@ice-sa.com]
Gesendet: Dienstag, 15. Mai 2012 23:33
An: mod_perl list
Betreff: Re: AW: AUTH password
alexander.elg...@t-systems.com wrote:
> a...@ice-sa.com wrote:
>> alexander.elg...@t-systems.com wrote:
>>> Hello,
>>>
>>> I am looking for a way to retrieve the AUTH password, without using
>>> mod_rewrite ...
>> I'd be interested in how you would do it, using mod_rewrite.
>> For my personal education..
>
> mod_rewrite is really powerful, you are able to pass any header information
> to any output.
> I just tried the following rule, it just appends the header to the GET
> Request.
>
> RewriteEngine On
> RewriteRule (.*) $1?HTTP_Authorization=%{HTTP:Authorization} [PT]
>
> Or pass it to ENV:
> RewriteRule / - [PT,E=HTTP_Authorization:%{HTTP:Authorization}]
>
> http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html
>
> In PHP you just need a single line to decode it:
> var_dump(base64_decode(str_replace('Basic ', '',
> $_REQUEST['HTTP_Authorization'])));
>
> var_dump(base64_decode(str_replace('Basic ', '',
> $_SERVER['HTTP_Authorization'])));
>
> And please do not talk about security, it is just base64, if there is no SSL,
> anyone in the middle is able to read the password.
>
I gather that this is a very indirect response to my question : you are talking
about HTTP
Basic Authentication. And without SSL, so this is a very insecure environment
(but we did
not know that before).
In that case - one among many possibilities, which is why I was asking - indeed
the
password is "encrypted" (so to speak) and sent over the network as part of the
HTTP
"Authorization" header.
And I gather - which you also did not say - that this is a cgi-bin script, not
a mod_perl
module. So indeed it has a cgi-bin "environment" available to it.
(This is a mod_perl support list, so it is kind of expected that people come
here to ask
mod_perl-specific questions, unless they say otherwise).
So now, about your initial question, does your webserver include mod_perl, and
is your
perl cgi-bin script running under mod_perl ?
I am asking because you did not say, and because the response to your question
is
different, depending on your environment.
Basically :
- if you are not running under mod_perl, as a simple cgi-bin perl script, then
you will
also need mod_rewrite, and code similar to what you show above for PHP.
- if you are running under mod_perl, then your script would have access to some
deeper
things within Apache httpd, and you could do this without mod_rewrite.
And there is a side question too, just by curiosity : if this is such an
insecure
environment, why do you bother encrypting the response (using the user's
password which
everyone can get at anyway) ?
And if this is running under SSL, then also why bother encrypting the response ?
