Very Computer

Scenario:

   Web site A's web pages use a realm 'xxx'.

   Client C connects to web site A, presents username and password for
   realm 'xxx.

   Client C later connects to web site B hosted on same machine.  Web site
   B sends a WWW-Authenticate header that also specifies realm xxx.
   C's browser sends saved username and password that was used to visit
   web site A.  Web site B grabs this username and password.

Offhand I don't know of any existing solutions.  The php documentation
says that a web site can protect itself by sending a 401 status code,
which will cause some web browsers to clear any saved username and
password.  But (a) not all browsers will do this and (b) not all web
site owners will do this or even know how to do this.

Here is a possible partial solution:  Apache could always require that
the realm in use begin with the username of the directory owner and a
separating character.  E.g., if a directory being protected is owned by
'dhesi', then the realm must begin with 'dhesi.', and this prefix string
could be inserted by Apache if not already present in the real.

This would prevent different web site owners hosted on a set of machines
from stealing one another's passwords, so long as the machines share a
common set of UNIX usernames.

Does anybody have a better solution?
--

Quote:> The use of php allows a user's web pages to require basic
> authentication, and then grab and save the password presented by the
> user.  This bypasses Apache's normal security mechanism, which otherwise
> never supplies a basic auth password to any cgi-bin program.

> Scenario:

>    Web site A's web pages use a realm 'xxx'.

>    Client C connects to web site A, presents username and password for
>    realm 'xxx.

>    Client C later connects to web site B hosted on same machine.  Web site
>    B sends a WWW-Authenticate header that also specifies realm xxx.
>    C's browser sends saved username and password that was used to visit
>    web site A.  Web site B grabs this username and password.

> Offhand I don't know of any existing solutions.  The php documentation
> says that a web site can protect itself by sending a 401 status code,
> which will cause some web browsers to clear any saved username and
> password.  But (a) not all browsers will do this and (b) not all web
> site owners will do this or even know how to do this.

> Here is a possible partial solution:  Apache could always require that
> the realm in use begin with the username of the directory owner and a
> separating character.  E.g., if a directory being protected is owned by
> 'dhesi', then the realm must begin with 'dhesi.', and this prefix string
> could be inserted by Apache if not already present in the real.

> This would prevent different web site owners hosted on a set of machines
> from stealing one another's passwords, so long as the machines share a
> common set of UNIX usernames.

> Does anybody have a better solution?

Safe mode isn't extremely well documented though.  Other than the realm
mungeing it checks functions that manipulate files by making sure that
the file in question is owned by the same user id as the current php
script being parsed.  And it also restricts any of the exec() family of
functions to only execute things located in a designated safe mode exec
directory.  

-Rasmus

Quote:(Rasmus Lerdorf) writes:
>You will notice that
>if you turn on PHP's safe-mode then the numerical unix user id is
>prepended to any realm sent by a PHP script running in safe mode.  PHP
>has been doing this since early version 2.