Disable PHP_AUTH_PW ?

[syntax53]

Hello, first time poster here.

 

I have a security concern that the interwebs can't seem to solve for me.  I use PHP_AUTH_USER for a ton of applications here at work.  This is an IIS box with PHP running as CGI.  PHP_AUTH_USER is the best way to consistently retrieve an authenticated user name via NTLM.  There are 2-3 other employees starting to design applications and I'd like to restrict them from pulling out other employee's passwords with PHP_AUTH_PW which shows any authenticated user's password in plain text.

 

I read that turning on safe mode disables PHP_AUTH completely which I don't want to do because I need PHP_AUTH_USER.  If I recall, the REMOTE_USER variable wasn't consistent when I started developing my applications.  The directives under safe mode for 'disable_functions' and 'disable_classes' don't appear to be much help.  I've also read that you could disable all or part of php_auth in the source code and recompile.  However, I'm not sure how i would go about that route being in a windows environment.

 

Seems like this would be a pretty common issue with a normal security concern.  Since I can't find anything concrete on the web I'm assuming I'm missing something obvious?

 

Thanks

[rhodesa]

off the top of my head...you could set an auto_prepend_file in the php.ini that gets run before every script. this file could unset() the value of PHP_AUTH_PW

 

http://us3.php.net/manual/en/ini.core.php#ini.auto-prepend-file

 

edit: just had another idea. you could give each application a separate php.ini file that makes them run in safe_mode...therefore disabling PHP_AUTH_* for applications

[syntax53]

Nice one.  That definitely seems to work.  I configure the includes directory/prepend setting and put in a file with the following:

 

<?php
unset($_SERVER['AUTH_PASSWORD']);
unset($_SERVER['PHP_AUTH_PW']);
?>