[pmwiki-users] PmWIki AuthUser passwords stored in clear in PHPsession files

Maria McKinley parody at u.washington.edu
Fri Oct 12 16:13:43 CDT 2007


On 10/12/07, Dominique Faure <dominique.faure at gmail.com> wrote:
> On 10/11/07, Maria McKinley <parody at u.washington.edu> wrote:
> > On 10/10/07, Maria McKinley <parody at u.washington.edu> wrote:
> > > On 10/10/07, Christophe David <pmwiki at christophedavid.org> wrote:
> > > > > which temporary file contains the password ?
> > > >
> > > > The path for PHP session files is defined  by "session.save_path" in
> > > > php.ini. (phpinfo() should give you the settings on your system.)
> > > >
> > > > Details on http://www.php.net/session .
> > > >
> > > > The files are plain text with all variables stored in clear.
> > > >
> > > > Thank you for your help.
> > > >
> > > > Christophe
> > > >
> > >
> > > This is definitely a problem, thanks for pointing it out. On my
> > > system, it saves to /tmp, which is not readable from the web, but
> > > still a bad idea. The trick is to encrypt it. I tried the code below
> > > in my config.php, but I must not have the syntax correct. Maybe
> > > someone with more php knowledge can help us out:
> > >
> > > $DefaultPasswords['edit'] = crypt('id:*');
> > >
> > > cheers,
> > > maria
> > >
> >
> > After further investigation, I don't think the problem is syntax. I
> > think the encryption was set up to work with the pmwiki authorization
> > stuff, and it just doesn't work with ldap. I think ldap doesn't have
> > the ability to unencrypt the password, and I'm not sure how to fix
> > that...
> >
> > cheers,
> > maria
> >
>
> AFAIK, there's no *simple* mean to solve what you called an issue.
>
> I don't want to describe all the gory details here (you may see
> [1],[2] and the PHP documentation for references), but basically
> PmWiki uses the session data as a backup of what the user typed in the
> password field, which then could be re-used as is by all the auth
> chain each time a new wiki page is requested (submitted with or
> whithout preliminary encryption to the configured auth scheme as
> required).
>
> So, encrypting the session data would require to use a two-way
> encryption cypher and a dedicated password in order to be able to
> retrieve the original data. Then, where would you store this password?
>

Somehow pmwiki does this with the built-in password support, so I was
hoping that we could make use of that encryption, and that pmwiki on
the server would then unencrypt the password to interact with the
ldapserver (and this interaction could be using ssl, I think). I did
realize that the encryption is sent over the clear currently, which is
one of the main reasons I want to deal with the problem. That seems
much more of a problem then a password in a /tmp folder on a machine
with only root access behind a firewall. I will look at the php
documentation some more. As popular as php and ldap are, seems likely
someone has solved this problem before.


> Corollary question: If someone is able to look at your session datas,
> how could you prevent him to have also a look at your config.php?
>

Yes, I suppose if they could look at /tmp they could also look at
config.php, and get my admin password, which probably should not be
written out in plain text on the server either. :-) But, the biggest
deal, is definitely sending passwords over the net
unencrypted.

I'll look at the links you sent me, thanks,
maria

> Finally, did you know that the password you entered in the auth field
> was sent without any encryption from your browser to the server
> hosting your wiki?
>
> [1] http://www.faqs.org/rfcs/rfc2616.html
> [2] http://www.faqs.org/rfcs/rfc2965.html
> --
> Dominique
>



More information about the pmwiki-users mailing list