Prevent setting of PHP_AUTH_PW?

I have an Apache 2.2.8 server all set up with mod_authnz_ldap to
authenticate via LDAP user/password pairs. It's all SSL to the web
server, SSL between the web server and LDAP, so it's pretty secure
even though it's Basic auth. By the time the PHP script runs, the
user has already authenticated and the PHP code can trust the value of
PHP_AUTH_USER.

So, how can I NOT have PHP_AUTH_PW set? I'd kinda rather not have
people's passwords just hanging around in $_SERVER for code to do
whatever it wants with it.

Mark Reed wrote:
> I have an Apache 2.2.8 server all set up with mod_authnz_ldap to
> authenticate via LDAP user/password pairs. It's all SSL to the web
> server, SSL between the web server and LDAP, so it's pretty secure
> even though it's Basic auth. By the time the PHP script runs, the
> user has already authenticated and the PHP code can trust the value of
> PHP_AUTH_USER.
>
> So, how can I NOT have PHP_AUTH_PW set? I'd kinda rather not have
> people's passwords just hanging around in $_SERVER for code to do
> whatever it wants with it.
>
>

Unless someone hacks your server, it isn't a problem. But if someone
hacks the server, you have more important things to worry about.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

On May 8, 7:53*pm, Jerry Stuckle <jstuck...@attglobal.net> wrote:
> Mark Reed wrote:
> > So, how can I NOT have PHP_AUTH_PW set? *I'd kinda rather not have
> > people's passwords just hanging around in $_SERVER for code to do
> > whatever it wants with it.
>
> Unless someone hacks your server, it isn't a problem. *But if someone
> hacks the server, you have more important things to worry about.

It's not quite that simple. I'm more concerned about passwords
accidentally being revealed than I am about malicious attacks, since
the server is on a corporate LAN that's not exposed to the Internet.
Having the password hang around means that something as simple as
adding a print_r($_SERVER); for debugging purposes will cause the
password to show up in clear text in the browser window. That's not
cool.

Mark Reed wrote:
> On May 8, 7:53 pm, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>> Mark Reed wrote:
>>> So, how can I NOT have PHP_AUTH_PW set? I'd kinda rather not have
>>> people's passwords just hanging around in $_SERVER for code to do
>>> whatever it wants with it.
>> Unless someone hacks your server, it isn't a problem. But if someone
>> hacks the server, you have more important things to worry about.
>
> It's not quite that simple. I'm more concerned about passwords
> accidentally being revealed than I am about malicious attacks, since
> the server is on a corporate LAN that's not exposed to the Internet.
> Having the password hang around means that something as simple as
> adding a print_r($_SERVER); for debugging purposes will cause the
> password to show up in clear text in the browser window. That's not
> cool.
>
>
>

If you can't trust your developers, you're in trouble.

And anything you take out they can easily bypass.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

On May 9, 11:33 am, Jerry Stuckle <jstuck...@attglobal.net> wrote:
> If you can't trust your developers, you're in trouble.
>
> And anything you take out they can easily bypass.

For the third time, I'm not worried about malicious attacks. I don't
care how much I trust my developers... and in this case, I'm also the
developer, so that's a lot of trust... I don't want anyone's passwords
exposed. That said, I'm not trying to make it impossible to retrieve
passwords - all I'm trying to do is make it not automatic. This does
not seem to me like an outlandish request.

I don't even understand why the password is made available in the
first place. It seems that either you're doing the authentication
with PHP code, in which case the password is submitted to PHP as a
form field, or you're doing it in the web server, in which case the
PHP has no need to ever see the password.

Anyway, if you don't know of a way to prevent this behavior, that's
fine, but please stop telling me that it's unreasonable for me to want
to do so.

I'd settle for a way to insert a script that unsets it before any
other PHP is run. I don't suppose there's any way to insert a PHP
script that gets executed ahead of any other PHP code on the site?

Mark Reed wrote:
> On May 9, 11:33 am, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>> If you can't trust your developers, you're in trouble.
>>
>> And anything you take out they can easily bypass.
>
> For the third time, I'm not worried about malicious attacks. I don't
> care how much I trust my developers... and in this case, I'm also the
> developer, so that's a lot of trust... I don't want anyone's passwords
> exposed. That said, I'm not trying to make it impossible to retrieve
> passwords - all I'm trying to do is make it not automatic. This does
> not seem to me like an outlandish request.
>
> I don't even understand why the password is made available in the
> first place. It seems that either you're doing the authentication
> with PHP code, in which case the password is submitted to PHP as a
> form field, or you're doing it in the web server, in which case the
> PHP has no need to ever see the password.
>
> Anyway, if you don't know of a way to prevent this behavior, that's
> fine, but please stop telling me that it's unreasonable for me to want
> to do so.
>
> I'd settle for a way to insert a script that unsets it before any
> other PHP is run. I don't suppose there's any way to insert a PHP
> script that gets executed ahead of any other PHP code on the site?
>
>
>
>

Not without the possibility of it being bypassed.


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Mark Reed wrote:
> On May 9, 11:33 am, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>> If you can't trust your developers, you're in trouble.
>>
>> And anything you take out they can easily bypass.
>
> For the third time, I'm not worried about malicious attacks. I don't
> care how much I trust my developers... and in this case, I'm also the
> developer, so that's a lot of trust... I don't want anyone's passwords
> exposed. That said, I'm not trying to make it impossible to retrieve
> passwords - all I'm trying to do is make it not automatic. This does
> not seem to me like an outlandish request.
>
> I don't even understand why the password is made available in the
> first place. It seems that either you're doing the authentication
> with PHP code, in which case the password is submitted to PHP as a
> form field, or you're doing it in the web server, in which case the
> PHP has no need to ever see the password.
>
> Anyway, if you don't know of a way to prevent this behavior, that's
> fine, but please stop telling me that it's unreasonable for me to want
> to do so.
>
> I'd settle for a way to insert a script that unsets it before any
> other PHP is run. I don't suppose there's any way to insert a PHP
> script that gets executed ahead of any other PHP code on the site?

The only person you'd be protecting against is you. I think you should stop
getting fixated on something that is a total waste of time and get on with
something useful.

On Fri, 9 May 2008 09:06:03 -0700 (PDT), Mark Reed <markjreed@gmail.com>
wrote:

>I'd settle for a way to insert a script that unsets it before any
>other PHP is run. I don't suppose there's any way to insert a PHP
>script that gets executed ahead of any other PHP code on the site?

There is a way to insert a PHP script that runs before other PHP code, but as
another poster already pointed out, this could be bypassed easily...

Now I wont guarantee that there is no other ways to bypass it but the only way
I know is through .htaccess file and that can be prevented via configuring
apache (and at this point I realize that my knowledge is about apache+php, I
dont know about other web servers) to not allow setting PHP configuration
options in .htaccess file...

Anyway the way to achieve what you are asking for is to add line like this
into your php.ini file:
auto_prepend_file = "/var/www/html/header.php"

--
***/--- Sir Robin (aka Jani Saksa) Bi-Sex and proud of it! ---\***
**/ email: robsku@fiveam.NO-SPAM.org, <*> Reg. Linux user #290577 \**
*| Me, Drugs, DooM, Photos, Writings... http://soul.fiveam.org/robsku |*
**\--- GSM/SMS: +358 44 927 3992 ---/**
"Sir Robin valehtelee järjestelmällisesti" - Nikolas Mäki