From: c dot i dot morris at durham dot ac dot uk Operating system: Linux+Apache PHP version: 4.4.7 PHP Bug Type: Safe Mode/open_basedir Bug description: Inconsistency of treatments of PHP_AUTH_PW and HTTP Authorization header
Description: ------------ In safe mode, the PHP_AUTH_PW variable is not available to users if the authorisation was handled by Apache rather than PHP (e.g. Apache's various mod_auth_*). This correctly prevents users from reading the passwords from a central user database simply by getting a logged-in user to view their page. However, the HTTP Authorization header is not similarly filtered out in safe_mode, allowing a malicious user to use the code below to read other users' passwords. This definitely affects apache_request_headers() - if there are any other functions also allowing reading of HTTP request headers, they should also be checked. Reproduce code: --------------- <?php // in a directory with Basic auth via Apache configuration $headers = apache_request_headers(); $auth = substr($headers['Authorization'],6); $up = base64_decode($auth); print($up); ?> Expected result: ---------------- Should not print anything. Actual result: -------------- Prints username and password of authenticated user -- Edit bug report at http://bugs.php.net/?id=42347&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=42347&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=42347&r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=42347&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=42347&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=42347&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=42347&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=42347&r=needscript Try newer version: http://bugs.php.net/fix.php?id=42347&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=42347&r=support Expected behavior: http://bugs.php.net/fix.php?id=42347&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=42347&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=42347&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=42347&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=42347&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=42347&r=dst IIS Stability: http://bugs.php.net/fix.php?id=42347&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=42347&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=42347&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=42347&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=42347&r=mysqlcfg