[pmwiki-users] PmWIki AuthUser passwords stored in clear in PHP session files
Christophe David
pmwiki at christophedavid.org
Wed Oct 10 08:57:00 CDT 2007
This question was already posted in August, but did not receive any
answer. Same player shoots again ;-)
PHP stores session data to temporary files on the server. These files
contain in clear all the session variables and their values.
When using AuthUser, PmWIki stores the user password in clear in a
session variable. Therefore, the user password can be read very
easily by anyone who has access to the server.
This is especially annoying when using LDAP, as the user password is
typically used to authenticate on several systems. Therefore, the use
of PmWiki with LDAP creates a security issue for the other systems
using LDAP.
Any idea how to avoid this ?
Christophe
More information about the pmwiki-users
mailing list