[pmwiki-users] PmWIki AuthUser passwords stored in clear in PHPsession files

Dominique Faure dominique.faure at gmail.com
Fri Oct 12 09:40:14 CDT 2007


On 10/11/07, Maria McKinley <parody at u.washington.edu> wrote:
> On 10/10/07, Maria McKinley <parody at u.washington.edu> wrote:
> > On 10/10/07, Christophe David <pmwiki at christophedavid.org> wrote:
> > > > which temporary file contains the password ?
> > >
> > > The path for PHP session files is defined  by "session.save_path" in
> > > php.ini. (phpinfo() should give you the settings on your system.)
> > >
> > > Details on http://www.php.net/session .
> > >
> > > The files are plain text with all variables stored in clear.
> > >
> > > Thank you for your help.
> > >
> > > Christophe
> > >
> >
> > This is definitely a problem, thanks for pointing it out. On my
> > system, it saves to /tmp, which is not readable from the web, but
> > still a bad idea. The trick is to encrypt it. I tried the code below
> > in my config.php, but I must not have the syntax correct. Maybe
> > someone with more php knowledge can help us out:
> >
> > $DefaultPasswords['edit'] = crypt('id:*');
> >
> > cheers,
> > maria
> >
>
> After further investigation, I don't think the problem is syntax. I
> think the encryption was set up to work with the pmwiki authorization
> stuff, and it just doesn't work with ldap. I think ldap doesn't have
> the ability to unencrypt the password, and I'm not sure how to fix
> that...
>
> cheers,
> maria
>

AFAIK, there's no *simple* mean to solve what you called an issue.

I don't want to describe all the gory details here (you may see
[1],[2] and the PHP documentation for references), but basically
PmWiki uses the session data as a backup of what the user typed in the
password field, which then could be re-used as is by all the auth
chain each time a new wiki page is requested (submitted with or
whithout preliminary encryption to the configured auth scheme as
required).

So, encrypting the session data would require to use a two-way
encryption cypher and a dedicated password in order to be able to
retrieve the original data. Then, where would you store this password?

Corollary question: If someone is able to look at your session datas,
how could you prevent him to have also a look at your config.php?

Finally, did you know that the password you entered in the auth field
was sent without any encryption from your browser to the server
hosting your wiki?

[1] http://www.faqs.org/rfcs/rfc2616.html
[2] http://www.faqs.org/rfcs/rfc2965.html
-- 
Dominique



More information about the pmwiki-users mailing list