You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Alberto Marconi <am...@akros.it> on 1999/01/04 18:49:59 UTC
mod_auth-any/3623: REMOTE_USER variable not set
>Number: 3623
>Category: mod_auth-any
>Synopsis: REMOTE_USER variable not set
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Mon Jan 4 09:50:00 PST 1999
>Last-Modified:
>Originator: amarconi@akros.it
>Organization:
apache
>Release: 1.3.0
>Environment:
Linux web 2.0.0 #7 Wed Sep 9 16:21:25 MET DST 1998 i586
>Description:
The REMOTE_USER variable is not set when a cgi script is executed
from a form created by another cgi script.
Both script are contained in a sub-directory of the cgi-bin directory and
the sub-directory contains a .htaccess file.
When the first script is executed, the proper authentication process takes
place and the REMOTE_USER variable is set.
When the second script is executed, the REMOTE_USER variable is not set and,
therefore, the script is unable to accertain if the user executing it passed
the authentication process.
A non authorized user could write a script which launces the second script
so bypassing all security checks.
>How-To-Repeat:
1. you should create a sub-directory of the cgi-bin directory.
2. you should put a .htaccess file in it.
3. you should create a script like this one:
<form action="/cgi-bin/sub-dir/second-script" method="post">
<select name="DirectoryCor">
<option> any
</select>
<input type="submit" value="any">
</form>
4. you should create a second script which echoes back the REMOTE_USER
variable.
5. you should execute the first script, authenticate, then click on the
submit button.
>Fix:
None.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED. This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request ]
[from a developer. ]
[Reply only with text; DO NOT SEND ATTACHMENTS! ]