You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Al...@t-systems.com on 2012/05/15 19:27:34 UTC
AUTH password
Hello,
I am looking for a way to retrieve the AUTH password, without using mod_rewrite ...
my $cgi = new CGI;
$cgi->remote_user; # this is the user
$cgi->remote_password???; # but where is the password?
In PHP, this is $_SERVER['PHP_AUTH_PW'].
It would be nice to know, if there is a proper way to do such a thing.
Greetings,
Alexander Elgert
----
RFC 3875 CGI Version 1.1 October 2004
9.2. Header Fields Containing Sensitive Information
Some HTTP header fields may carry sensitive information which the
server should not pass on to the script unless explicitly configured
to do so. For example, if the server protects the script by using
the Basic authentication scheme, then the client will send an
Authorization header field containing a username and password. The
server validates this information and so it should not pass on the
password via the HTTP_AUTHORIZATION meta-variable without careful
consideration. This also applies to the Proxy-Authorization header
field and the corresponding HTTP_PROXY_AUTHORIZATION meta-variable.
--
Deutsche Telekom AG
Seamless ICT Security Infrastructure & Management
im Auftrag T-Systems International GmbH
Dipl. Inf Alexander Elgert
Langwadener Strasse 17
64625 Bensheim
+49 176 22 717 661 (Mobil)
+49 671 83419-12 (Tel)
+49 671 83419-30 (Fax)
E-Mail: alexander.elgert@gmx.de
Re: AW: AW: AW: AW: AUTH password
Posted by André Warnier <aw...@ice-sa.com>.
Alexander.Elgert@t-systems.com wrote:
> Nice to know, that people with an academic degree in computer science and a certificate of IT security are called "script-kiddy" on this mailing list.
>
I wrote ".. made it /sound/ like something coming from a "script-kiddie". I did not say
you were.
Re-reading your first post now, I still get that same impression.
So maybe it is just the way you ask questions.. or the way I read them.
In view of the academic qualifications above, I am still bit surprised at the gist of your
messages, or at least their phrasing.
But let's just put that on my own account, and leave it at that.
Hoping to have helped anyway, in some way.
Cheers
AW: AW: AW: AW: AUTH password
Posted by Al...@t-systems.com.
Nice to know, that people with an academic degree in computer science and a certificate of IT security are called "script-kiddy" on this mailing list.
--
Deutsche Telekom AG
Seamless ICT Security Infrastructure & Management
im Auftrag T-Systems International GmbH
Dipl. Inf Alexander Elgert
Langwadener Strasse 17
64625 Bensheim
+49 176 22 717 661 (Mobil)
+49 671 83419-12 (Tel)
+49 671 83419-30 (Fax)
E-Mail: alexander.elgert@gmx.de
________________________________________
Von: André Warnier [aw@ice-sa.com]
Gesendet: Mittwoch, 16. Mai 2012 17:07
An: mod_perl list
Betreff: Re: AW: AW: AW: AUTH password
Alexander.Elgert@t-systems.com wrote:
> Thank you, it works.
>
> ------------------------------------------------------------------------------
> # http://perl.apache.org/docs/2.0/api/Apache2/RequestRec.html
> use CGI;
> #use Apache ();
> #use APR::Base64;
> use Apache2::Access ();
> use Apache2::RequestRec ();
> use Apache2::RequestUtil ();
>
> my $q = CGI->new;
> #print $ENV{MOD_PERL_API_VERSION} . "\n";
> #my $r = Apache->request();
> my $r = Apache2::RequestUtil->request(); #httpd.conf # get the global request object (requires PerlOptions +GlobalRequest)
> $pw = $r->headers_in->{Authorization};
> #$pw =~ s/^Basic //;
> #$pw = APR::Base64::decode($pw);
>
> print $q->header();
> #print "Apache->request: ". $pw . "<br>\n";
>
> (my $rc, $pw)=$r->get_basic_auth_pw;
> print "Apache2 Access get_basic_auth_pw: " . $pw . "<br>\n";
> ----------------------------------------------------------------------------------
>
There you go.
About all the rest, and the obviously unwelcome comments you got before :
Your initial post was very short on details, and sounded like you thought that being able
to get the user's password after a web authentication was a universal truth, via a cgi-bin
"HTTP_AUTHORIZATION" environment value.
That, and you reference to a one-line PHP script command, frankly made it sound like
something coming from a "script-kiddie".
That is why you got these comments related to security, authentication methods, SSL etc..
HTTP headers of a request are not normally available to a cgi-bin script.
CGI environment values are only there if the httpd server (or some other add-on module)
puts them there before running the script. Some of these environment values may be derived
from original HTTP request headers, but the relationship is not one-to-one.
The user's authentication password is certainly not contained in any standard CGI
environment value.
The user's authentication password is only available from a HTTP request header, if the
web authentication method used is HTTP Basic Authentication. In all other serious web
authentication methods, the password is not transmitted over the net, encrypted or not.
So it is generally not possible for anything running in a webserver, to get to that
password in clear; and rightly so, because people tend to use the same password for any
2-cent web application, as they use to login to their corporate servers.
In other words, if you build your application on the premise that you can get and use the
user's password to encrypt something with it, then your application will not be portable
to any serious context.
Also, if your application has parts running under SSL and parts that don't, then as a
whole it is as insecure as the non-SSL part. It is the weakest part that determines the
security level, not the strongest part.
The same about implementing security "step by step". If you start running your
application insecurely, then by the time you make it secure, the user's passwords will
already have been stolen, and can be re-used in the secure version. Are all users going
to change their passwords then ?
In summary, the code above is good as an exercise for mod_perl. Is it recommended for any
real application ? certainly not.
Believe it or not, people on this list are only trying to help you, for example in not
writing code that you'll have to rewrite later.
Re: AW: AW: AW: AUTH password
Posted by André Warnier <aw...@ice-sa.com>.
Alexander.Elgert@t-systems.com wrote:
> Thank you, it works.
>
> ------------------------------------------------------------------------------
> # http://perl.apache.org/docs/2.0/api/Apache2/RequestRec.html
> use CGI;
> #use Apache ();
> #use APR::Base64;
> use Apache2::Access ();
> use Apache2::RequestRec ();
> use Apache2::RequestUtil ();
>
> my $q = CGI->new;
> #print $ENV{MOD_PERL_API_VERSION} . "\n";
> #my $r = Apache->request();
> my $r = Apache2::RequestUtil->request(); #httpd.conf # get the global request object (requires PerlOptions +GlobalRequest)
> $pw = $r->headers_in->{Authorization};
> #$pw =~ s/^Basic //;
> #$pw = APR::Base64::decode($pw);
>
> print $q->header();
> #print "Apache->request: ". $pw . "<br>\n";
>
> (my $rc, $pw)=$r->get_basic_auth_pw;
> print "Apache2 Access get_basic_auth_pw: " . $pw . "<br>\n";
> ----------------------------------------------------------------------------------
>
There you go.
About all the rest, and the obviously unwelcome comments you got before :
Your initial post was very short on details, and sounded like you thought that being able
to get the user's password after a web authentication was a universal truth, via a cgi-bin
"HTTP_AUTHORIZATION" environment value.
That, and you reference to a one-line PHP script command, frankly made it sound like
something coming from a "script-kiddie".
That is why you got these comments related to security, authentication methods, SSL etc..
HTTP headers of a request are not normally available to a cgi-bin script.
CGI environment values are only there if the httpd server (or some other add-on module)
puts them there before running the script. Some of these environment values may be derived
from original HTTP request headers, but the relationship is not one-to-one.
The user's authentication password is certainly not contained in any standard CGI
environment value.
The user's authentication password is only available from a HTTP request header, if the
web authentication method used is HTTP Basic Authentication. In all other serious web
authentication methods, the password is not transmitted over the net, encrypted or not.
So it is generally not possible for anything running in a webserver, to get to that
password in clear; and rightly so, because people tend to use the same password for any
2-cent web application, as they use to login to their corporate servers.
In other words, if you build your application on the premise that you can get and use the
user's password to encrypt something with it, then your application will not be portable
to any serious context.
Also, if your application has parts running under SSL and parts that don't, then as a
whole it is as insecure as the non-SSL part. It is the weakest part that determines the
security level, not the strongest part.
The same about implementing security "step by step". If you start running your
application insecurely, then by the time you make it secure, the user's passwords will
already have been stolen, and can be re-used in the secure version. Are all users going
to change their passwords then ?
In summary, the code above is good as an exercise for mod_perl. Is it recommended for any
real application ? certainly not.
Believe it or not, people on this list are only trying to help you, for example in not
writing code that you'll have to rewrite later.
AW: AW: AW: AUTH password
Posted by Al...@t-systems.com.
Thank you, it works.
------------------------------------------------------------------------------
# http://perl.apache.org/docs/2.0/api/Apache2/RequestRec.html
use CGI;
#use Apache ();
#use APR::Base64;
use Apache2::Access ();
use Apache2::RequestRec ();
use Apache2::RequestUtil ();
my $q = CGI->new;
#print $ENV{MOD_PERL_API_VERSION} . "\n";
#my $r = Apache->request();
my $r = Apache2::RequestUtil->request(); #httpd.conf # get the global request object (requires PerlOptions +GlobalRequest)
$pw = $r->headers_in->{Authorization};
#$pw =~ s/^Basic //;
#$pw = APR::Base64::decode($pw);
print $q->header();
#print "Apache->request: ". $pw . "<br>\n";
(my $rc, $pw)=$r->get_basic_auth_pw;
print "Apache2 Access get_basic_auth_pw: " . $pw . "<br>\n";
----------------------------------------------------------------------------------
--
Deutsche Telekom AG
Seamless ICT Security Infrastructure & Management
im Auftrag T-Systems International GmbH
Dipl. Inf Alexander Elgert
Langwadener Strasse 17
64625 Bensheim
+49 176 22 717 661 (Mobil)
+49 671 83419-12 (Tel)
+49 671 83419-30 (Fax)
E-Mail: alexander.elgert@gmx.de
________________________________________
Von: Torsten Förtsch [torsten.foertsch@gmx.net]
Gesendet: Mittwoch, 16. Mai 2012 12:37
An: modperl@perl.apache.org
Cc: Elgert, Alexander
Betreff: Re: AW: AW: AUTH password
On Wednesday, 16 May 2012 11:25:56 Alexander.Elgert@t-systems.com wrote:
> sure I am interested in the mod_perl answer to retrieve the AUTH password.
($pw=APR::Base64::decode $r->headers_in->{Authorization})=~s/.*://;
or
use Apache2::Access ();
($rc, $pw)=$r->get_basic_auth_pw;
> I am using mod_perl on a x86 sparc with oracle 10, 32 bit client.
>
> If the payload is stored to a harddisk, then it makes sense to encrypt the
> payload. But as said, I do not want to talk about all the reasons, why I
> prefer this solution.
With pure modperl nothing is stored/cached on disk. CGI.pm may store file
uploads. HTTP headers are not stored in any way. The operating system,
however, may decide to store this information on disk by means of virtual
memory management. To prevent that you can turn off swapping completely or
forbid swapping by locking your process into RAM (see mlockall(2)).
As for the 2 mod_rewrite based solutions, both reveal the password at least on
standard Linux to a possibly unauthorized audience even with SSL if a
traditional CGI script is involved. Both rely on passing the information via
the process environment which is readable via /proc. This is perhaps the
reason why the header was not passed on in the first place.
Torsten Förtsch
--
Need professional modperl support? Hire me! (http://foertsch.name)
Like fantasy? http://kabatinte.net
Re: AW: AW: AUTH password
Posted by Torsten Förtsch <to...@gmx.net>.
On Wednesday, 16 May 2012 11:25:56 Alexander.Elgert@t-systems.com wrote:
> sure I am interested in the mod_perl answer to retrieve the AUTH password.
($pw=APR::Base64::decode $r->headers_in->{Authorization})=~s/.*://;
or
use Apache2::Access ();
($rc, $pw)=$r->get_basic_auth_pw;
> I am using mod_perl on a x86 sparc with oracle 10, 32 bit client.
>
> If the payload is stored to a harddisk, then it makes sense to encrypt the
> payload. But as said, I do not want to talk about all the reasons, why I
> prefer this solution.
With pure modperl nothing is stored/cached on disk. CGI.pm may store file
uploads. HTTP headers are not stored in any way. The operating system,
however, may decide to store this information on disk by means of virtual
memory management. To prevent that you can turn off swapping completely or
forbid swapping by locking your process into RAM (see mlockall(2)).
As for the 2 mod_rewrite based solutions, both reveal the password at least on
standard Linux to a possibly unauthorized audience even with SSL if a
traditional CGI script is involved. Both rely on passing the information via
the process environment which is readable via /proc. This is perhaps the
reason why the header was not passed on in the first place.
Torsten Förtsch
--
Need professional modperl support? Hire me! (http://foertsch.name)
Like fantasy? http://kabatinte.net
AW: AW: AUTH password
Posted by Al...@t-systems.com.
If you are improving applications, and want to stay compatible to old code, it is needed to do small steps.
Do it just a little better in any step.
If you introduce new features, in an complex environment you can't do all at once.
Sometimes adding encryption is not needed, but the decision to encrypt or not encrypt may change. It is simpler to explain an application, if you say "all the data is encrypted and stored encrypted on the harddisk, without a breach in the chain".
The application uses SSL and non-SSL. Adding a encryption adds only a little bit more security, but it is a step.
It is really annoying to see all these questions, which suggest a complete rewrite.
Sure, I can do.
--
Deutsche Telekom AG
Seamless ICT Security Infrastructure & Management
im Auftrag T-Systems International GmbH
Dipl. Inf Alexander Elgert
Langwadener Strasse 17
64625 Bensheim
+49 176 22 717 661 (Mobil)
+49 671 83419-12 (Tel)
+49 671 83419-30 (Fax)
E-Mail: alexander.elgert@gmx.de
________________________________________
Von: André Warnier [aw@ice-sa.com]
Gesendet: Dienstag, 15. Mai 2012 23:33
An: mod_perl list
Betreff: Re: AW: AUTH password
Alexander.Elgert@t-systems.com wrote:
> aw@ice-sa.com wrote:
>> Alexander.Elgert@t-systems.com wrote:
>>> Hello,
>>>
>>> I am looking for a way to retrieve the AUTH password, without using mod_rewrite ...
>> I'd be interested in how you would do it, using mod_rewrite.
>> For my personal education..
>
> mod_rewrite is really powerful, you are able to pass any header information to any output.
> I just tried the following rule, it just appends the header to the GET Request.
>
> RewriteEngine On
> RewriteRule (.*) $1?HTTP_Authorization=%{HTTP:Authorization} [PT]
>
> Or pass it to ENV:
> RewriteRule / - [PT,E=HTTP_Authorization:%{HTTP:Authorization}]
>
> http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html
>
> In PHP you just need a single line to decode it:
> var_dump(base64_decode(str_replace('Basic ', '', $_REQUEST['HTTP_Authorization'])));
>
> var_dump(base64_decode(str_replace('Basic ', '', $_SERVER['HTTP_Authorization'])));
>
> And please do not talk about security, it is just base64, if there is no SSL, anyone in the middle is able to read the password.
>
I gather that this is a very indirect response to my question : you are talking about HTTP
Basic Authentication. And without SSL, so this is a very insecure environment (but we did
not know that before).
In that case - one among many possibilities, which is why I was asking - indeed the
password is "encrypted" (so to speak) and sent over the network as part of the HTTP
"Authorization" header.
And I gather - which you also did not say - that this is a cgi-bin script, not a mod_perl
module. So indeed it has a cgi-bin "environment" available to it.
(This is a mod_perl support list, so it is kind of expected that people come here to ask
mod_perl-specific questions, unless they say otherwise).
So now, about your initial question, does your webserver include mod_perl, and is your
perl cgi-bin script running under mod_perl ?
I am asking because you did not say, and because the response to your question is
different, depending on your environment.
Basically :
- if you are not running under mod_perl, as a simple cgi-bin perl script, then you will
also need mod_rewrite, and code similar to what you show above for PHP.
- if you are running under mod_perl, then your script would have access to some deeper
things within Apache httpd, and you could do this without mod_rewrite.
And there is a side question too, just by curiosity : if this is such an insecure
environment, why do you bother encrypting the response (using the user's password which
everyone can get at anyway) ?
And if this is running under SSL, then also why bother encrypting the response ?
AW: AW: AUTH password
Posted by Al...@t-systems.com.
Hello,
sure I am interested in the mod_perl answer to retrieve the AUTH password.
I am using mod_perl on a x86 sparc with oracle 10, 32 bit client.
If the payload is stored to a harddisk, then it makes sense to encrypt the payload.
But as said, I do not want to talk about all the reasons, why I prefer this solution.
Greetings,
Alexander
________________________________________
Von: André Warnier [aw@ice-sa.com]
Gesendet: Dienstag, 15. Mai 2012 23:33
An: mod_perl list
Betreff: Re: AW: AUTH password
Alexander.Elgert@t-systems.com wrote:
> aw@ice-sa.com wrote:
>> Alexander.Elgert@t-systems.com wrote:
>>> Hello,
>>>
>>> I am looking for a way to retrieve the AUTH password, without using mod_rewrite ...
>> I'd be interested in how you would do it, using mod_rewrite.
>> For my personal education..
>
> mod_rewrite is really powerful, you are able to pass any header information to any output.
> I just tried the following rule, it just appends the header to the GET Request.
>
> RewriteEngine On
> RewriteRule (.*) $1?HTTP_Authorization=%{HTTP:Authorization} [PT]
>
> Or pass it to ENV:
> RewriteRule / - [PT,E=HTTP_Authorization:%{HTTP:Authorization}]
>
> http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html
>
> In PHP you just need a single line to decode it:
> var_dump(base64_decode(str_replace('Basic ', '', $_REQUEST['HTTP_Authorization'])));
>
> var_dump(base64_decode(str_replace('Basic ', '', $_SERVER['HTTP_Authorization'])));
>
> And please do not talk about security, it is just base64, if there is no SSL, anyone in the middle is able to read the password.
>
I gather that this is a very indirect response to my question : you are talking about HTTP
Basic Authentication. And without SSL, so this is a very insecure environment (but we did
not know that before).
In that case - one among many possibilities, which is why I was asking - indeed the
password is "encrypted" (so to speak) and sent over the network as part of the HTTP
"Authorization" header.
And I gather - which you also did not say - that this is a cgi-bin script, not a mod_perl
module. So indeed it has a cgi-bin "environment" available to it.
(This is a mod_perl support list, so it is kind of expected that people come here to ask
mod_perl-specific questions, unless they say otherwise).
So now, about your initial question, does your webserver include mod_perl, and is your
perl cgi-bin script running under mod_perl ?
I am asking because you did not say, and because the response to your question is
different, depending on your environment.
Basically :
- if you are not running under mod_perl, as a simple cgi-bin perl script, then you will
also need mod_rewrite, and code similar to what you show above for PHP.
- if you are running under mod_perl, then your script would have access to some deeper
things within Apache httpd, and you could do this without mod_rewrite.
And there is a side question too, just by curiosity : if this is such an insecure
environment, why do you bother encrypting the response (using the user's password which
everyone can get at anyway) ?
And if this is running under SSL, then also why bother encrypting the response ?
Re: AW: AUTH password
Posted by André Warnier <aw...@ice-sa.com>.
Alexander.Elgert@t-systems.com wrote:
> aw@ice-sa.com wrote:
>> Alexander.Elgert@t-systems.com wrote:
>>> Hello,
>>>
>>> I am looking for a way to retrieve the AUTH password, without using mod_rewrite ...
>> I'd be interested in how you would do it, using mod_rewrite.
>> For my personal education..
>
> mod_rewrite is really powerful, you are able to pass any header information to any output.
> I just tried the following rule, it just appends the header to the GET Request.
>
> RewriteEngine On
> RewriteRule (.*) $1?HTTP_Authorization=%{HTTP:Authorization} [PT]
>
> Or pass it to ENV:
> RewriteRule / - [PT,E=HTTP_Authorization:%{HTTP:Authorization}]
>
> http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html
>
> In PHP you just need a single line to decode it:
> var_dump(base64_decode(str_replace('Basic ', '', $_REQUEST['HTTP_Authorization'])));
>
> var_dump(base64_decode(str_replace('Basic ', '', $_SERVER['HTTP_Authorization'])));
>
> And please do not talk about security, it is just base64, if there is no SSL, anyone in the middle is able to read the password.
>
I gather that this is a very indirect response to my question : you are talking about HTTP
Basic Authentication. And without SSL, so this is a very insecure environment (but we did
not know that before).
In that case - one among many possibilities, which is why I was asking - indeed the
password is "encrypted" (so to speak) and sent over the network as part of the HTTP
"Authorization" header.
And I gather - which you also did not say - that this is a cgi-bin script, not a mod_perl
module. So indeed it has a cgi-bin "environment" available to it.
(This is a mod_perl support list, so it is kind of expected that people come here to ask
mod_perl-specific questions, unless they say otherwise).
So now, about your initial question, does your webserver include mod_perl, and is your
perl cgi-bin script running under mod_perl ?
I am asking because you did not say, and because the response to your question is
different, depending on your environment.
Basically :
- if you are not running under mod_perl, as a simple cgi-bin perl script, then you will
also need mod_rewrite, and code similar to what you show above for PHP.
- if you are running under mod_perl, then your script would have access to some deeper
things within Apache httpd, and you could do this without mod_rewrite.
And there is a side question too, just by curiosity : if this is such an insecure
environment, why do you bother encrypting the response (using the user's password which
everyone can get at anyway) ?
And if this is running under SSL, then also why bother encrypting the response ?
AW: AUTH password
Posted by Al...@t-systems.com.
aw@ice-sa.com wrote:
> Alexander.Elgert@t-systems.com wrote:
> > Hello,
> >
> > I am looking for a way to retrieve the AUTH password, without using mod_rewrite ...
>
> I'd be interested in how you would do it, using mod_rewrite.
> For my personal education..
mod_rewrite is really powerful, you are able to pass any header information to any output.
I just tried the following rule, it just appends the header to the GET Request.
RewriteEngine On
RewriteRule (.*) $1?HTTP_Authorization=%{HTTP:Authorization} [PT]
Or pass it to ENV:
RewriteRule / - [PT,E=HTTP_Authorization:%{HTTP:Authorization}]
http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html
In PHP you just need a single line to decode it:
var_dump(base64_decode(str_replace('Basic ', '', $_REQUEST['HTTP_Authorization'])));
var_dump(base64_decode(str_replace('Basic ', '', $_SERVER['HTTP_Authorization'])));
And please do not talk about security, it is just base64, if there is no SSL, anyone in the middle is able to read the password.
Greetings,
Alexander
AW: AUTH password
Posted by Al...@t-systems.com.
aw@ice-sa.com wrote:
> your script can trust that id. So why would it need to know the user's password ?
In my case to encrypt the answer using AES with the password.
Greetings,
Alexander
--
Deutsche Telekom AG
Seamless ICT Security Infrastructure & Management
im Auftrag T-Systems International GmbH
Dipl. Inf Alexander Elgert
Langwadener Strasse 17
64625 Bensheim
+49 176 22 717 661 (Mobil)
+49 671 83419-12 (Tel)
+49 671 83419-30 (Fax)
E-Mail: alexander.elgert@gmx.de
Re: AUTH password
Posted by André Warnier <aw...@ice-sa.com>.
Alexander.Elgert@t-systems.com wrote:
> Hello,
>
> I am looking for a way to retrieve the AUTH password, without using mod_rewrite ...
I'd be interested in how you would do it, using mod_rewrite.
For my personal education..
>
> my $cgi = new CGI;
> $cgi->remote_user; # this is the user
> $cgi->remote_password???; # but where is the password?
Nowhere. Why would it be ? if remote_user() responds with something defined, then it
means the user is authenticated - by whatever method has been configutred to do so - and
your script can trust that id. So why would it need to know the user's password ?
The mere fact that you /could/ obtain the user's password is going to give sleepless
nights to any corporate network administrator. Most reasonable web authentication methods
are designed so that the user's password is never even transmitted over the wire.
>
> In PHP, this is $_SERVER['PHP_AUTH_PW'].
Possibly. But that supposes that something put it there. What did ?
>
> It would be nice to know, if there is a proper way to do such a thing.
The first info you would need to provide, is the authentication method used by Apache in
your case. There are many.