[pmwiki-users] PmWIki AuthUser passwords stored in clear in PHPsession files

H. Fox haganfox at users.sourceforge.net
Mon Oct 15 18:21:46 CDT 2007


On 10/15/07, Christophe David <christophe.david at christophedavid.org> wrote:
> > FWIW cleartext passwords in config.php are avoidable if you use
> > ?action=crypt and paste crypted passwords into the file.
>
> This is not relevant for this topic: we are talking about PHP session
> files storing passwords in clear.

The topic isn't necessarily that specific, considering this is the
pmwiki-users list, not pmwiki-devel.  First, here's the part you
chopped out...

>>On 10/12/07, Maria McKinley <parody at u.washington.edu> wrote:
>>> Yes, I suppose if they could look at /tmp they could also look at
>>> config.php, and get my admin password, which probably should not be
>>> written out in plain text on the server either.

Not everyone reading this thread -- possibly Maria included -- knows
that you can crypt passwords in config.php.  I thought a reminder
about ?action=crypt might be helpful.

Anyone using a managed hosting service (or just about any server with
other users) should be crypting their passwords in config.php whether
they realize it or not.  Now maybe some of them are aware of this who
weren't aware before.

Hagan



More information about the pmwiki-users mailing list