$_SERVER['PHP_AUTH_PW'] is directly passed to exec function.
File: C:\GitStack\gitphp\include\Authentication.class.php
public function authenticate() {
// Skipped lines
$authenticated = false;
$username = $_SERVER['PHP_AUTH_USER'];
$password = $_SERVER['PHP_AUTH_PW'];
// Check if the user is in the array of read users
if(in_array($username, $users)){
$authMethod = $this->getAuthMethod();
// authenticate with ldap or by file
if($authMethod == "file"){
$authenticated = $this->authenticateFile($username, $password);
} if($authMethod == "ldap") {
$authenticated = $this->authenticateLdap($username, $password);
}
if ($authenticated == false){
$this->denyAuthentication();
}
} else {
$this->denyAuthentication();
}
}
private function authenticateFile($username, $password) {
// Skipped lines
$result = exec($installDir . '/apache/bin/openssl.exe passwd -apr1 -salt ' . $currentUser['salt'] . " " . $password);
}Timeline
- 15-01-2018: Public
