[pmwiki-users] error in .htpasswd - Auth
Patrick R. Michaud
pmichaud at pobox.com
Fri Nov 18 13:15:43 CST 2005
On Wed, Nov 16, 2005 at 09:36:37PM +0100, Patrick Ogay wrote:
> I spent a lot of time testing authuser, and I often had strange results.
> ...
Here's my comments on your configuration:
> farmconfig:
> <?php
> [...]
> ### globale Modules
> require_once("$FarmD/scripts/authuser.php");
Note that in order for authuser.php to work the $AuthUser variables
have to be set *before* loading the script. If you set them afterwards,
it won't work.
> ## Addons/User Actions
> ##adds action=setuser&user=user&passwd=passwd
> ## uses php "system" to execute a shellscript in usr/local/bib
> global $HandleActions;
> SDV($HandleActions['setuser'], 'setUser');
> function setUser($pagename) {
> echo "setuser".$_GET[user].$_GET[passwd];
> if ($_GET[user] && $_GET[passwd]){
> $cmd = "_htpasswd ".$_GET[user]." ".$_GET[passwd];
> echo "=$cmd=";
> system($cmd, $result);
> [...]
This looks *very* dangerous; as written here I suspect that a
malicious user would be able to use ?action=setuser to be able
to execute arbitrary commands on the server.
Pm
More information about the pmwiki-users
mailing list