Received: (qmail 18409 invoked by uid 2012); 4 Jan 1999 17:49:59 -0000 Message-Id: <19990104174959.18408.qmail@hyperreal.org> Date: 4 Jan 1999 17:49:59 -0000 From: Alberto Marconi Reply-To: amarconi@akros.it To: apbugs@hyperreal.org Subject: REMOTE_USER variable not set X-Send-Pr-Version: 3.2 >Number: 3623 >Category: mod_auth-any >Synopsis: REMOTE_USER variable not set >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: closed >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Mon Jan 4 09:50:00 PST 1999 >Last-Modified: Mon Jan 4 09:52:49 PST 1999 >Originator: amarconi@akros.it >Organization: >Release: 1.3.0 >Environment: Linux web 2.0.0 #7 Wed Sep 9 16:21:25 MET DST 1998 i586 >Description: The REMOTE_USER variable is not set when a cgi script is executed from a form created by another cgi script. Both script are contained in a sub-directory of the cgi-bin directory and the sub-directory contains a .htaccess file. When the first script is executed, the proper authentication process takes place and the REMOTE_USER variable is set. When the second script is executed, the REMOTE_USER variable is not set and, therefore, the script is unable to accertain if the user executing it passed the authentication process. A non authorized user could write a script which launces the second script so bypassing all security checks. >How-To-Repeat: 1. you should create a sub-directory of the cgi-bin directory. 2. you should put a .htaccess file in it. 3. you should create a script like this one:
4. you should create a second script which echoes back the REMOTE_USER variable. 5. you should execute the first script, authenticate, then click on the submit button. >Fix: None. >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: marc State-Changed-When: Mon Jan 4 09:52:49 PST 1999 State-Changed-Why: I am quite sure that authentication is being required wherever it is configured to be required. If REMOTE_USER isn't showing up, then it is because you don't have authentication required for that request. The fact that it is a CGI executed from a form created by another CGI has nothing to do with it. Either your .htaccess file isn't working at all (eg. because you have AllowOverride none or something similar set for your cgi-bin directory) or you have some "Limit GET" in there which, as it says, only limits GET requests. >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]