Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:12942
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Date: Wed, 22 Sep 2004 18:17:41 -0700 (PDT)
To: Uwe Schindler <thetaphi@php.net>
cc: Kamesh Jayachandran <kameshj@fastmail.fm>, internals@lists.php.net
In-Reply-To: <6.1.2.0.0.20040922231944.041595f8@127.0.0.1>
Message-ID: <Pine.LNX.4.58.0409221812560.1471@t42p.lerdorf.com>
References: <1095863649.14268.204915460@webmail.messagingengine.com>
 <6.1.2.0.0.20040922231944.041595f8@127.0.0.1>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: Re: [PHP-DEV] Why to have owner's uid of the file when  WWW-Authenticate
 header?
From: rasmus@php.net (Rasmus Lerdorf)

On Wed, 22 Sep 2004, Uwe Schindler wrote:
> What is the background of disabling of passing the headers "Authentication"
> and the user/password pairs in it to the user? Is it a problem to simply
> give the user access to this information (even with safe mode) - If there
> is some authentication by .htaccess or something other it is normally from
> the same user that wrote the script.

Normally, sure.  But say on a shared host http://www.isp.com/~bob sets up
a password-protected page.  Then Tom comes along and wants to grab the
user ids and passwords from Bob's site.  Safe-mode is enabled so he can't
simply write a script to steal the passwords, and even if he could, they
are encrypted.  So the way to hack it is to just password protect one of
his own pages and give it the same auth domain as Bob's pages and anybody
who visits http://www.isp.com/~tom anytime after visiting /~bob will
invisibly send their auth data to Tom.

-Rasmus