Re: Fwd> Question regarding mod_auth_sys

[Doug MacEachern <do...@opengroup.org>]

rasmus@bellglobal.com wrote:
 
> So, the only way to build a password grabber is to write a script that
> has the same realm, and the same domain as another page.  On a shared server
> this is not difficult to do.  Therefore, running mod_auth_sys and mod_php
> and probably mod_perl as well, on a shared server is not a very good idea.

I've recently changed mod_perl so doesn't hand it off to %ENV, so
CGI-ish scripts can't get at the password.  However, $r->header_in or
$r->get_basic_auth_pw can get at it.  This was discussed a long while
back here and it was decided that the Perl API should be limited only
as much as the C API is, which you know does have access to
Authorzation header.  Of course, it is much easier to write a Perl
grabber script than a compiled in C module, so there is still a need
to beware. 

-Doug

Re: Fwd> Question regarding mod_auth_sys

[ra...@bellglobal.com]

> I've recently changed mod_perl so doesn't hand it off to %ENV, so
> CGI-ish scripts can't get at the password.  However, $r->header_in or
> $r->get_basic_auth_pw can get at it.  This was discussed a long while
> back here and it was decided that the Perl API should be limited only
> as much as the C API is, which you know does have access to
> Authorzation header.  Of course, it is much easier to write a Perl
> grabber script than a compiled in C module, so there is still a need
> to beware. 

Prompted by this morning's message, I have now added the realm mungeing
to PHP's SAFE_MODE that is geared towards ISP's running mod_php on a shared
server.  When mod_php is compiled in safe mode, it will now add the file
owner's uid to the realm string.  Safe mode already handles common
security issues addresses by suExec for CGI's.

-Rasmus