[pmwiki-users] PmWIki AuthUser passwords stored in clear in PHPsession files

Maria McKinley parody at u.washington.edu
Wed Oct 10 18:42:57 CDT 2007


On 10/10/07, Maria McKinley <parody at u.washington.edu> wrote:
> On 10/10/07, Christophe David <pmwiki at christophedavid.org> wrote:
> > > which temporary file contains the password ?
> >
> > The path for PHP session files is defined  by "session.save_path" in
> > php.ini. (phpinfo() should give you the settings on your system.)
> >
> > Details on http://www.php.net/session .
> >
> > The files are plain text with all variables stored in clear.
> >
> > Thank you for your help.
> >
> > Christophe
> >
>
> This is definitely a problem, thanks for pointing it out. On my
> system, it saves to /tmp, which is not readable from the web, but
> still a bad idea. The trick is to encrypt it. I tried the code below
> in my config.php, but I must not have the syntax correct. Maybe
> someone with more php knowledge can help us out:
>
> $DefaultPasswords['edit'] = crypt('id:*');
>
> cheers,
> maria
>

After further investigation, I don't think the problem is syntax. I
think the encryption was set up to work with the pmwiki authorization
stuff, and it just doesn't work with ldap. I think ldap doesn't have
the ability to unencrypt the password, and I'm not sure how to fix
that...

cheers,
maria



More information about the pmwiki-users mailing list