|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: remote_user and apache
From: PCbob - Slobodan miskoviC (Yugoslavia
CANADA.COM)Date: Wed Aug 02 2000 - 11:50:06 CDT
- Next message: Holger van Koll: "Re: remote_user and apache"
- Previous message: Ex Machina: "Re: Wonky Mail Filters from vuln-dev subscribers"
- In reply to: David Augros: "remote_user and apache"
- Next in thread: Holger van Koll: "Re: remote_user and apache"
- Reply: PCbob - Slobodan miskoviC: "Re: remote_user and apache"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
David Augros wrote:
> My interest is in whether the 'remote_user' variable is trustworthy
> enough to decide that we are dealing with an authenticated user who is
> not faking his login name. Any insights/pointers are welcome.
The remote_user variable is used for browser authentication, and i do
not see any use of spoofing username as server requires password every
time. You are probably thinking that remote user gives you the username on
client machine, which is wrong. So if user is "spoofing" his username he
must "spoof" his password too, which would me he found out someone else's
login data.
cheer
- Next message: Holger van Koll: "Re: remote_user and apache"
- Previous message: Ex Machina: "Re: Wonky Mail Filters from vuln-dev subscribers"
- In reply to: David Augros: "remote_user and apache"
- Next in thread: Holger van Koll: "Re: remote_user and apache"
- Reply: PCbob - Slobodan miskoviC: "Re: remote_user and apache"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]