Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Can the REMOTE_USER env variable be faked?

Options
  • 19-03-2006 11:17pm
    #1
    daymobrew
    Registered Users Posts: 6,511 ✭✭✭


    I am using perl but the same issue applies to PHP or any other server-side code.

    A few of my perl CGI scripts have 'admin' functionality that is only enabled when accessed from within a directory protected with Basic authentication ('require valid-user' in my .htaccess file). Keeping the normal and admin code in the same file makes maintenance easier.
    My code is something like: 
    do_admin_stuff() if ( $ENV{'REMOTE_USER'} eq 'the_user' );
# or
do_admin_stuff() if ( remote_user() eq 'the_user ); # CGI.pm function.
    Can the REMOTE_USER environment variable be set by the client in such a way as to bypass the server-side authentication? I'm thinking that it can't be as the server sets the environment variable, but since the page's referrer can be faked I figured I'd ask to be sure.


Comments

  • Options
    #2
    rsynnott
    Registered Users Posts: 4,003 ✭✭✭rsynnott


    This is the remote_user coming from apache? Nope, it should be safe enough.


  • Options
    #3
    daymobrew
    Registered Users Posts: 6,511 ✭✭✭daymobrew


    REMOTE_USER is the one set by Apache when the script is subject to authentication.


Advertisement