[pmwiki-users] PmWIki AuthUser passwords stored in clear in PHPsession files

Maria McKinley parody at u.washington.edu
Tue Oct 16 00:29:28 CDT 2007


On 10/15/07, H. Fox <haganfox at users.sourceforge.net> wrote:
> On 10/15/07, Christophe David <christophe.david at christophedavid.org> wrote:
> > > FWIW cleartext passwords in config.php are avoidable if you use
> > > ?action=crypt and paste crypted passwords into the file.
> >
> > This is not relevant for this topic: we are talking about PHP session
> > files storing passwords in clear.
>
> The topic isn't necessarily that specific, considering this is the
> pmwiki-users list, not pmwiki-devel.  First, here's the part you
> chopped out...
>
> >>On 10/12/07, Maria McKinley <parody at u.washington.edu> wrote:
> >>> Yes, I suppose if they could look at /tmp they could also look at
> >>> config.php, and get my admin password, which probably should not be
> >>> written out in plain text on the server either.
>
> Not everyone reading this thread -- possibly Maria included -- knows
> that you can crypt passwords in config.php.  I thought a reminder
> about ?action=crypt might be helpful.
>

Indeed, had I known, I would have been doing this. Thanks for the tip,
and it seems close enough to on-topic to me to be worth posting to the
same thread.

thanks,
maria

> Anyone using a managed hosting service (or just about any server with
> other users) should be crypting their passwords in config.php whether
> they realize it or not.  Now maybe some of them are aware of this who
> weren't aware before.
>
> Hagan
>
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>


-- 
Maria Mckinley
Scientific Programmer
Shadlen Lab
Physiology and Biophysics
Box 357290
University of Washington
(206) 616-3923
parody at u.washington.edu



More information about the pmwiki-users mailing list