You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Howard Fear <hs...@pooh.pageplus.com> on 1997/05/15 14:11:16 UTC
Fwd> Question regarding mod_auth_sys
Can someone give me a more detailed explanation of this?
I was under the impression that passwords aren't passed from
the server to user available tools (cgi, ssi, php, etc.).
------- Forwarded Message From Todd Chapman <ht...@oakland.edu>
I am interested in using your module to authenticate against /etc/passwd
in an intranet. No external access to the intranet is allowed, but local
users can freely browse the web. Six reasons not to do this are given
in the Apache FAQ. The first five seem like acceptable risks on my
intranet, but I do not understand the following sixth reason:
It's relatively trivial for someone on your system to put up a page that
will steal the cached password from a client's cache without them
knowing. Can you say "password grabber"?
------- End of Forwarded Message
And, yes, I think the paranoia about user passwords makes a
lot of sense on a public server but is a very limited position
as it applies to a corporate intranet/departmental server.
Having one password for all resources is a very important
MIS concept. Although this probably won't fully be possible
until the large scale deployment of LDAP and certificates.
BTW, I may be on a panel about Apache for our local Unix User's
Group. I'll be addressing using Apache for intranets, so if
anyone has any comments, I'll be happy to reflect them.
--
Howard Fear I'm just a country perl hacker Jim. hsf@pageplus.com
http://www.pageplus.com/~hsf/ hsf@redcape.com
Re: Fwd> Question regarding mod_auth_sys
Posted by Dean Gaudet <dg...@arctic.org>.
It's easy to change file ownership on sysv-style systems that let you
"chown away" a file. IRIX for example (unless you systune it off).
Dean
On Thu, 15 May 1997 rasmus@bellglobal.com wrote:
> The way I have suggested that people handle this in the past is to make a
> change to the mod_php Header() function to make it prepend the user id
> of the owner of the .html file containing the script to the realm. This
> way, on a shared server, the person trying to grab passwords would have to
> change the ownership of his/her grabber script to match someone else's, or
> in the case of a mod_auth_sys authenticated page, the realm would never
> match.
Re: Fwd> Question regarding mod_auth_sys
Posted by ra...@bellglobal.com.
> Can someone give me a more detailed explanation of this?
> I was under the impression that passwords aren't passed from
> the server to user available tools (cgi, ssi, php, etc.).
Passwords are not passed on to CGI programs, although various Apache
patches are floating about out there that enables this. By default a
CGI program can not grab a password.
In the case of PHP when run as a module, the module does make it possible
to do authentication from within a PHP script. If one of the auth modules
has already performed the authentication step then the password is not
handed off to the script.
So, the only way to build a password grabber is to write a script that
has the same realm, and the same domain as another page. On a shared server
this is not difficult to do. Therefore, running mod_auth_sys and mod_php
and probably mod_perl as well, on a shared server is not a very good idea.
The mod_php exploit script would simply look like this:
<?
if(!$PHP_AUTH_USER) {
Header("WWW-authenticate: basic realm=\"My Realm\"");
Header("HTTP/1.0 401 Unauthorized");
exit;
} else {
echo "Hello $PHP_AUTH_USER<br>\n";
echo "You entered $PHP_AUTH_PW as your password<br>\n";
}
>
The way I have suggested that people handle this in the past is to make a
change to the mod_php Header() function to make it prepend the user id
of the owner of the .html file containing the script to the realm. This
way, on a shared server, the person trying to grab passwords would have to
change the ownership of his/her grabber script to match someone else's, or
in the case of a mod_auth_sys authenticated page, the realm would never
match.
-Rasmus