Edit report at http://bugs.php.net/bug.php?id=8827&edit=1
ID: 8827 Updated by: [email protected] Reported by: csy at hjc dot edu dot sg Summary: PHP_AUTH_PW stores password when using External Authentication -Status: Open +Status: Closed Type: Feature/Change Request -Package: Feature/Change Request +Package: *General Issues Operating System: Redhat Linux 6.2 PHP Version: 4.0.4pl1 -Assigned To: +Assigned To: jani Block user comment: N Private report: N Previous Comments: ------------------------------------------------------------------------ [2002-12-04 10:49:26] [email protected] I believe this was fixed in 4.3.0, can someone confirm (Jani)? ------------------------------------------------------------------------ [2001-06-10 15:22:07] csy at hjc dot edu dot sg I understand about the raw headers. Which is why I am suggesting if it would be possible to have an administrator configurable flag to enable/disable PHP storing the password in PHP_AUTH_PW . Assumung that the web server only runs PHP with no CGI and such, it would be pretty difficult(?) for unauthorised users to extract the password from the raw headers. But PHP happily stores it in a variable and allows any programmer to access it. Thanks! ------------------------------------------------------------------------ [2001-06-09 23:52:43] [email protected] This is the correct behaviour the information is avalible via the raw headers anyway. - James ------------------------------------------------------------------------ [2001-04-28 23:09:00] csy at hjc dot edu dot sg Isn't this going to be a big security problem for portal sites using PHP which have a common user base and separate groups of developers developing and selling online service? As a malicious group of developers would be able to capture the password and assume the identity of the user and go around "patronising" other services. How about having a general configuration parameter that disables the storage of the password in PHP_AUTH_PW and HTTP_RAW_HEADERS without having the need for PHP to autodetect for external authentications? Something like a STORE_PASSWORD = false flag in php.ini which the administrator needs to manually set to on or off. Thanks! ------------------------------------------------------------------------ [2001-04-28 16:12:30] [email protected] This is the expected behaviour now. HTTP_RAW_HEADERS holds the same information anyway. - James ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=8827 -- Edit this bug report at http://bugs.php.net/bug.php?id=8827&edit=1
