Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
If we do not hit our goal we will be forced to close the site.

Current status: https://keepboardsalive.com/

Annual subs are best for most impact. If you are still undecided on going Ad Free - you can also donate using the Paypal Donate option. All contribution helps. Thank you.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.

Can the REMOTE_USER env variable be faked?

  • 19-03-2006 11:17PM
    #1
    daymobrew
    Registered Users, Registered Users 2 Posts: 6,652 ✭✭✭


    I am using perl but the same issue applies to PHP or any other server-side code.

    A few of my perl CGI scripts have 'admin' functionality that is only enabled when accessed from within a directory protected with Basic authentication ('require valid-user' in my .htaccess file). Keeping the normal and admin code in the same file makes maintenance easier.
    My code is something like: 
    do_admin_stuff() if ( $ENV{'REMOTE_USER'} eq 'the_user' );
# or
do_admin_stuff() if ( remote_user() eq 'the_user ); # CGI.pm function.
    Can the REMOTE_USER environment variable be set by the client in such a way as to bypass the server-side authentication? I'm thinking that it can't be as the server sets the environment variable, but since the page's referrer can be faked I figured I'd ask to be sure.


Comments

  • #2
    rsynnott
    Registered Users, Registered Users 2 Posts: 4,003 ✭✭✭rsynnott


    This is the remote_user coming from apache? Nope, it should be safe enough.


  • #3
    daymobrew
    Registered Users, Registered Users 2 Posts: 6,652 ✭✭✭daymobrew


    REMOTE_USER is the one set by Apache when the script is subject to authentication.


Advertisement