Quote:
Originally Posted by mlove
My passwords were encrypted, and authentication data was displayed just fine.
|
Prior to PHP, TeenCat was right, passwords were treated as information known only
to the user. Only a HASH of the password was saved in the password file, so the only
way for a bad guy to get the password was if the user gave it to the bad guy.
Apache set a variable for the user name so scripts could tell who the usr was, but the
passsword was a secret only the user knew. PHP of course took it's priority list from
Windows, were security is a footnote on page #762, so the PHP guys dug into the
Apache request_rec, got the password submitted by the user, and put it in a nice
variable so that all a hacker has to do is get you to post on a PHP forum and in most
cases he can easily crack the forum to have it include your password in a comment
tag within your post.
__________________
For historical display only. This information is not current:
support@bettercgi.com ICQ 7208627
Strongbox - The next generation in site security
Throttlebox - The next generation in bandwidth control
Clonebox - Backup and disaster recovery on steroids