From: ct at swin dot edu dot au Operating system: Linux PHP version: 5.1.4 PHP Bug Type: Safe Mode/open_basedir Bug description: PHP_AUTH_PW and PHP_AUTH_USER are being exposed
Description: ------------ PHP_AUTH_PW and PHP_AUTH_USER are exposed to other scripts running in a shared host environment. Reproduce code: --------------- user1 has a PHP web page http://www.example.com/~user1 that uses external authentication via Apache basic authentication. /home/user1/public_html/.htaccess AuthType Basic AuthName "This is a test" AuthUserfile /home/user1/public_html/.htpasswd Require valid-user user2 has a PHP page http://www.example.com/~user2 that prints out $_SERVER A user visits http://www.example.com/~user1 (No trailing slash) and enters their username/password entered in popup window. The user then visits http://www.example.com/~user2. Their password is then exposed to this script. This does not happen if the URL of the page asking for authentication has an appended slash. Eg. http://www.example.com/~user/. Expected result: ---------------- PHP_AUTH_USER and PHP_AUTH_PW should not be exposed to other users scripts on a shared host. Actual result: -------------- PHP_AUTH_USER and PHP_AUTH_PW are exposed to script even when safe_mode is enabled. -- Edit bug report at http://bugs.php.net/?id=37970&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=37970&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=37970&r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=37970&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=37970&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=37970&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=37970&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=37970&r=needscript Try newer version: http://bugs.php.net/fix.php?id=37970&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=37970&r=support Expected behavior: http://bugs.php.net/fix.php?id=37970&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=37970&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=37970&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=37970&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=37970&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=37970&r=dst IIS Stability: http://bugs.php.net/fix.php?id=37970&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=37970&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=37970&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=37970&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=37970&r=mysqlcfg