[pmwiki-users] PmWIki AuthUser passwords stored in clear in PHPsession files

Maria McKinley parody at u.washington.edu
Wed Oct 10 18:09:00 CDT 2007


On 10/10/07, Christophe David <pmwiki at christophedavid.org> wrote:
> > which temporary file contains the password ?
>
> The path for PHP session files is defined  by "session.save_path" in
> php.ini. (phpinfo() should give you the settings on your system.)
>
> Details on http://www.php.net/session .
>
> The files are plain text with all variables stored in clear.
>
> Thank you for your help.
>
> Christophe
>

This is definitely a problem, thanks for pointing it out. On my
system, it saves to /tmp, which is not readable from the web, but
still a bad idea. The trick is to encrypt it. I tried the code below
in my config.php, but I must not have the syntax correct. Maybe
someone with more php knowledge can help us out:

$DefaultPasswords['edit'] = crypt('id:*');

cheers,
maria



More information about the pmwiki-users mailing list