[pmwiki-users] authuser forcing Author name stopped working?

H. Fox haganfox at gmail.com
Fri Jul 8 00:00:17 CDT 2005


On 7/7/05, Neil Herber <nospam at eton.ca> wrote:
> At 2005-07-07  09:02 PM -0700, H. Fox is rumored to have said:
> >Oops.  This might be better.
> >
> >    if ($action == 'edit') @session_start();
> >    if (@$_SESSION['authid']) {
> >      $Author=@$_SESSION['authid'];
> >    } else if (@$_POST['authid']) {
> >      $Author = $_POST['authid'];
> >      setcookie('author', $Author, 0, '/');
> >    } else if (@$_COOKIE['author']) {
> >      $Author = $_COOKIE['author'];
> >    }
> >
> >Hagan
>
> I am disappointed to report that neither one prevents author spoofing. What
> I know about PHP fits on the back of a postage stamp, but my gut feel is
> that an authid test would have to be performed by authuser and can't be
> tacked on after the fact.
>
> It needs to do something like:
>
> if user name on form exists in .htpasswd
>          if passwords match
>                  user is authenticated, set author name
>          else
>                  user is a spoofer, refuse entry
>          endif

authuser.php does this automatically.

> else
>          if password matches the shared password
>                  user is unauthenticated, but we will accept the author name
>          else
>                  user is a complete bozo, refuse entry
>          endif
> endif

In my testing it did exactly that.

I didn't try leaving the Name field blank, so I don't know how to
check for the semi-bozo who knows the password but doesn't provide a
name.

Maybe try this line before calling authuser.php:

if (@$_POST['authid'] == '') unset @$_POST['authpw'];

Did you clear your cookies for the test? (The `zapcookies' bookmarklet
works great for that, btw).

Did you notice the two lines missing.  (Almost certainly so come to
think of it.)  Here's the whole thing:

  $AuthUser['htpasswd'] = '/path/to/your/.htpasswd';
  include_once("$FarmD/scripts/authuser.php");
   if ($action == 'edit') @session_start();
   if (@$_SESSION['authid']) {
     $Author=@$_SESSION['authid'];
   } else if (@$_POST['authid']) {
     $Author = $_POST['authid'];
     setcookie('author', $Author, 0, '/');
   } else if (@$_COOKIE['author']) {
     $Author = $_COOKIE['author'];
   }

I can't test right now, but I'll be back in a couple of hours and I'll
try again then.

Hagan

> Neil
>
> Neil Herber
> Corporate info at http://www.eton.ca/
> Eton Systems, 15 Pinepoint Drive, Nepean, ON, Canada K2H 6B1
> Tel: (613) 829-4668
>
>




More information about the pmwiki-users mailing list