[pmwiki-users] PmWIki AuthUser passwords stored in clear in PHP session files

Neil Herber (nospam) nospam at eton.ca
Wed Oct 10 09:27:07 CDT 2007


Christophe David wrote:
> This question was already posted in August, but did not receive any
> answer.  Same player shoots again ;-)
> 
> PHP stores session data to temporary files on the server. These files
> contain in clear all the session variables and their values.
> 
> When using AuthUser, PmWIki stores the user password in clear in a
> session variable.  Therefore, the user password can be read very
> easily by anyone who has access to the server.
> 
> This is especially annoying when using LDAP, as the user password is
> typically used to authenticate on several systems.  Therefore, the use
> of PmWiki with LDAP creates a security issue for the other systems
> using LDAP.
> 
> Any idea how to avoid this ?

Maybe I just don't understand the problem, but if you use a secure 
authentication method other than the built-in PmWiki passwords, I can't 
see how PHP or PmWiki can know the password.

For example, on my protected wikis I use Apache BA to authenticate the 
users. PmWiki only has to look at the authenticated user name to grant 
or deny access. There is no way I can see that it has access to the 
password.

-- 
Neil Herber
Corporate info at http://www.eton.ca/



More information about the pmwiki-users mailing list