RavenWiki

Difference between revisions of "PHP library"

From RavenWiki

Jump to: navigation, search
(Add note about 0.5 security problem)
Line 5: Line 5:
 
This module is really alpha-quality software and in need of further development. However it could be a useful starting point for anyone wanting to user Raven and PHP.
 
This module is really alpha-quality software and in need of further development. However it could be a useful starting point for anyone wanting to user Raven and PHP.
  
Note that versions of this library prior to 0.51 contained a security vulnerability, in that they used the value of the 'Host' header of an HTTP response to validate 'Authentication response' messages. The Host header is under the control of a potential attacker and, by altering it, an attacker might be able to replay an existing Authentication Response message against a site that relies on the PHP library. This problem is resolved in version 0.51, at the expense of ran incompatible change: a securely-obtained host name be supplied before invoking the library functions. This problem also affected versions of this library identified as 0.6 and 0.61 that were distributed only as part of Raven authentication support for phpBB3 in early 2008.
+
Note that versions of this library prior to 0.51 contained a security vulnerability, in that they used the value of the 'Host' header of an HTTP response to validate 'Authentication response' messages. The Host header is under the control of a potential attacker and, by altering it, an attacker might be able to replay an existing Authentication Response message against a site that relies on the PHP library. This problem is resolved in version 0.51, at the expense of ran incompatible change: a securely-obtained host name be supplied before invoking the library functions.  
 +
 
 +
This problem also affected versions of this library identified as 0.6 and 0.61 that were distributed only as part of Raven authentication support for phpBB3 in early 2008. [NB Version 0.51 is '''not''' suitable as a replacement for those versions as it lacks required new facilities - a corrected version of the Raven support is under development and will be announced when available.]
  
 
* [http://raven.cam.ac.uk/project/php/files/ucam_webauth_php.txt Documentation]
 
* [http://raven.cam.ac.uk/project/php/files/ucam_webauth_php.txt Documentation]

Revision as of 11:09, 29 April 2008

The UcamWebauth PHP class provides an application agent for making authentication requests to the UcamWebauth server that can be called from PHP.

This could be useful if you wanted to embed authentication logic within a PHP web application. If all you want to do is Raven-protect some PHP-processed pages you'd probably be better using container-managed security such as that provided by the Raven Apache modules.

This module is really alpha-quality software and in need of further development. However it could be a useful starting point for anyone wanting to user Raven and PHP.

Note that versions of this library prior to 0.51 contained a security vulnerability, in that they used the value of the 'Host' header of an HTTP response to validate 'Authentication response' messages. The Host header is under the control of a potential attacker and, by altering it, an attacker might be able to replay an existing Authentication Response message against a site that relies on the PHP library. This problem is resolved in version 0.51, at the expense of ran incompatible change: a securely-obtained host name be supplied before invoking the library functions.

This problem also affected versions of this library identified as 0.6 and 0.61 that were distributed only as part of Raven authentication support for phpBB3 in early 2008. [NB Version 0.51 is not suitable as a replacement for those versions as it lacks required new facilities - a corrected version of the Raven support is under development and will be announced when available.]

This module is distributed under the terms of the GNU Lesser General Public License and is currently minimally maintained by Jon Warbrick and John Line.