You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Alberto Marconi <am...@akros.it> on 1999/01/04 18:49:59 UTC

mod_auth-any/3623: REMOTE_USER variable not set

>Number:         3623
>Category:       mod_auth-any
>Synopsis:       REMOTE_USER variable not set
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Jan  4 09:50:00 PST 1999
>Last-Modified:
>Originator:     amarconi@akros.it
>Organization:
apache
>Release:        1.3.0
>Environment:
Linux web 2.0.0 #7 Wed Sep 9 16:21:25 MET DST 1998 i586
>Description:
The REMOTE_USER variable is not set when a cgi script is executed
from a form created by another cgi script.
Both script are contained in a sub-directory of the cgi-bin directory and
the sub-directory contains a .htaccess file.
When the first script is executed, the proper authentication process takes
place and the REMOTE_USER variable is set.
When the second script is executed, the REMOTE_USER variable is not set and,
therefore, the script is unable to accertain if the user executing it passed
the authentication process.
A non authorized user could write a script which launces the second script
so bypassing all security checks.
>How-To-Repeat:
1. you should create a sub-directory of the cgi-bin directory.
2. you should put a .htaccess file in it.
3. you should create a script like this one:
     <form action="/cgi-bin/sub-dir/second-script" method="post">
     <select name="DirectoryCor">
     <option> any
     </select>
     <input type="submit" value="any">
     </form>
4. you should create a second script which echoes back the REMOTE_USER
   variable.
5. you should execute the first script, authenticate, then click on the
   submit button.
>Fix:
None.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]