[cobalt-security] Answer: PHP tells PWD's

[Ted Behling <TBehling@xxxxxxxxxxxxx>]

PHP gives your script the $PHP_AUTH_USER and $PHP_AUTH_PW variables if it
is used as a server module and you used HTTP authentication (i.e., a popup
user/pass box) to access the script, as would be triggered by the Auth*
directives in an .htaccess file.  PHP is not reading your FTP password from
anywhere, although perhaps you're using the same password for Web
authentication as you're using for FTP, which I wouldn't recommend.

By the way, since you're concerned about your password being sent in the
clear (rightly so), be aware that HTTP Basic authentication does NOT
encrypt or otherwise hide your password while in transmission.  It only
encodes it using the UU or Base64 algorithm (forgot which), so it looks
scrambled but really isn't.

At 06:40 AM 7/27/01 +0200, Norbert Nothdurft wrote:
>Maybe someone has solved this problem...
>
>Today I tried a little with PHP on my RAQ4...
>First simple trying if PHP works fine ...
>
><?php
> phpinfo();
>?>
>
>The result-page told me ftp-user and ftp-pwd as clear text!!!
>There is a section PHP Variables and there 
>PHP-AUTH-USER and PHP-AUTH-PW


-------------------------------------------------------------------------
Ted Behling, Web Application Developer, Monarch Information Systems, Inc.

43 Folly Field Road, Unit 4, Hilton Head Island, SC 29928-5434
E-mail: mailto:TBehling@xxxxxxxxxxxxx
Phone/Fax: 1-800-842-7894    Local or Outside the USA: 1-843-842-7894
Cell Phone (urgent issues): 843-816-7895
Cell Phone E-mail: mailto:TedPhone@xxxxxxxxxxxxx (116 letter limit)
Web site: http://www.monarchis.net
-------------------------------------------------------------------------