[pmwiki-users] error in .htpasswd - Auth

Patrick R. Michaud pmichaud at pobox.com
Fri Nov 18 13:15:43 CST 2005

On Wed, Nov 16, 2005 at 09:36:37PM +0100, Patrick Ogay wrote:
> I spent a lot of time testing authuser, and I often had strange results.
> ...

Here's my comments on your configuration:

> farmconfig:
> <?php
> [...]
> ### globale Modules
>  require_once("$FarmD/scripts/authuser.php");     

Note that in order for authuser.php to work the $AuthUser variables
have to be set *before* loading the script.  If you set them afterwards,
it won't work.

> ## Addons/User Actions
> ##adds action=setuser&user=user&passwd=passwd
> ## uses php "system" to execute a shellscript  in usr/local/bib
> global $HandleActions;
> SDV($HandleActions['setuser'], 'setUser');
> function setUser($pagename) {
>  echo "setuser".$_GET[user].$_GET[passwd];
>  if ($_GET[user] && $_GET[passwd]){
>    $cmd = "_htpasswd ".$_GET[user]." ".$_GET[passwd];
>    echo "=$cmd=";
>    system($cmd, $result);
> [...]

This looks *very* dangerous; as written here I suspect that a 
malicious user would be able to use ?action=setuser to be able
to execute arbitrary commands on the server.


More information about the pmwiki-users mailing list