You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Doug MacEachern <do...@opengroup.org> on 1997/05/15 15:45:38 UTC
Re: Fwd> Question regarding mod_auth_sys
rasmus@bellglobal.com wrote:
> So, the only way to build a password grabber is to write a script that
> has the same realm, and the same domain as another page. On a shared server
> this is not difficult to do. Therefore, running mod_auth_sys and mod_php
> and probably mod_perl as well, on a shared server is not a very good idea.
I've recently changed mod_perl so doesn't hand it off to %ENV, so
CGI-ish scripts can't get at the password. However, $r->header_in or
$r->get_basic_auth_pw can get at it. This was discussed a long while
back here and it was decided that the Perl API should be limited only
as much as the C API is, which you know does have access to
Authorzation header. Of course, it is much easier to write a Perl
grabber script than a compiled in C module, so there is still a need
to beware.
-Doug
Re: Fwd> Question regarding mod_auth_sys
Posted by ra...@bellglobal.com.
> I've recently changed mod_perl so doesn't hand it off to %ENV, so
> CGI-ish scripts can't get at the password. However, $r->header_in or
> $r->get_basic_auth_pw can get at it. This was discussed a long while
> back here and it was decided that the Perl API should be limited only
> as much as the C API is, which you know does have access to
> Authorzation header. Of course, it is much easier to write a Perl
> grabber script than a compiled in C module, so there is still a need
> to beware.
Prompted by this morning's message, I have now added the realm mungeing
to PHP's SAFE_MODE that is geared towards ISP's running mod_php on a shared
server. When mod_php is compiled in safe mode, it will now add the file
owner's uid to the realm string. Safe mode already handles common
security issues addresses by suExec for CGI's.
-Rasmus