 |
 |
 |
 |
|
|
Date: 06/14/99
- Next message: Orion Poplawski: "[PHP-DEV] Re: Small modfication request for mysql_connect"
- Previous message: giuseppe <email protected>: "[PHP-DEV] Bug #1537: Freetype.h ??????"
- Next in thread: Rasmus Lerdorf: "Re: [PHP-DEV] Bug #1538: Security Data Lost w/ FORMS When METHOD=POST"
- Reply: Rasmus Lerdorf: "Re: [PHP-DEV] Bug #1538: Security Data Lost w/ FORMS When METHOD=POST"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: alex <email protected>
Operating system: Linux 2.2.9
PHP version: 3.0.9
PHP Bug Type: Other
Bug description: Security Data Lost w/ FORMS When METHOD=POST
I have 2 PHP Scripts, the out put of one calls the other through a HTML FORM POST operation. The $REMOTE_USER value is null in the second script even though it is set in the first script. Both PHP Scripts are in a
area of the document root where apache is configured to require
authentication.
Example Snippets:
Script One:
$inst_query = "SELECT * FROM SECURITY_SC WHERE ACCOUNT='$REMOTE_USER'";
echo $inst_query;
echo "<TR><TD>\n";
echo "<FORM ACTION=optf_dlc_list.php3 METHOD=POST>\n";
echo "<INPUT TYPE=HIDDEN NAME=pog_no VALUE=$pog_no>\n";
echo "<INPUT TYPE=HIDDEN NAME=study_no
VALUE=$study_no>\n";
echo "<INPUT TYPE=HIDDEN NAME=accsn_no
VALUE=$accsn_no>\n";
echo "<INPUT TYPE=SUBMIT VALUE=\"View
Reports\"></TD>\n";
echo "<TD>$pog_no</TD><TD>$study_no</TD><TD>$accsn_no</TD></TR>\n";
echo "</FORM>\n";
Script One Output:
SELECT * FROM SECURITY_SC WHERE ACCOUNT='abrennen';
Script Two Snippet:
$inst_query = "SELECT * FROM SECURITY_SC WHERE ACCOUNT='$REMOTE_USER'";
Script Two Output:
SELECT * FROM SECURITY_SC WHERE ACCOUNT=''
I'm running Apache 1.3.6 w/ BenSSL patch 1.3.5 and PHP 3.0.9 on
Red Hat Linux 5.2 with Kernel 2.2.9 with the AC buqtraq 2.2.x patch
applied. I'm using OpenSSL 0.9.3a. PHP is running as an Apache
Module. I'm accessing the scripts with Netscape Communicator
version 4.6 (I've tried on both Linux and Win95). Netscape does
not appear to be loosing it's authentication tokens (I haven't checked
but I am not asked to re-enter them when I access the PHP script
which does not have the $REMOTE_USER information.)
Apache CONFIG:
./configure --prefix=/www --activate-module=src/modules/php3/libphp3.a --activate-module=auth_dbm
PHP CONFIG:
./configure --with-apache=../apache_1.3.6 --with-config-file-path=/etc --with-oracle=/home/vab/oracle
Please let me know when this is fixed... We're developing a very large
number of PHP applications for our research group in which security
is very important.
Thank you - PHP is an awsome product. Feel free to contact me
for additional information or code.
- VAB
-- PHP Development Mailing List (http://www.php.net/) To unsubscribe, e-mail: php-dev-unsubscribe <email protected> For additional commands, e-mail: php-dev-help <email protected> To contact the list administrators, e-mail: php-list-admin <email protected>
- Next message: Orion Poplawski: "[PHP-DEV] Re: Small modfication request for mysql_connect"
- Previous message: giuseppe <email protected>: "[PHP-DEV] Bug #1537: Freetype.h ??????"
- Next in thread: Rasmus Lerdorf: "Re: [PHP-DEV] Bug #1538: Security Data Lost w/ FORMS When METHOD=POST"
- Reply: Rasmus Lerdorf: "Re: [PHP-DEV] Bug #1538: Security Data Lost w/ FORMS When METHOD=POST"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]