Vulnerability Development: remote_user and apache

[David Augros <dave () NRMAIL COM>]

Sorry if this is offtopic, but I figure it's close enough to try.

Does anybody know how basic http auth is handled (in particular, by
apache)? Specifically, I am interested in the env variable 'remote_user'
which is inherited by cgi's. How does this get to the cgi from the
browser? I know the login/passwd are uuencoded into a single string and
sent to the http server, but does httpd get the username by decoding
this string, or does a separate (i.e. spoofable) header indicate the
username?

My interest is in whether the 'remote_user' variable is trustworthy
enough to decide that we are dealing with an authenticated user who is
not faking his login name. Any insights/pointers are welcome.

--
Dave