[pmwiki-users] PmWIki AuthUser passwords stored in clear in PHP session files
Neil Herber (nospam)
nospam at eton.ca
Wed Oct 10 09:27:07 CDT 2007
Christophe David wrote:
> This question was already posted in August, but did not receive any
> answer. Same player shoots again ;-)
>
> PHP stores session data to temporary files on the server. These files
> contain in clear all the session variables and their values.
>
> When using AuthUser, PmWIki stores the user password in clear in a
> session variable. Therefore, the user password can be read very
> easily by anyone who has access to the server.
>
> This is especially annoying when using LDAP, as the user password is
> typically used to authenticate on several systems. Therefore, the use
> of PmWiki with LDAP creates a security issue for the other systems
> using LDAP.
>
> Any idea how to avoid this ?
Maybe I just don't understand the problem, but if you use a secure
authentication method other than the built-in PmWiki passwords, I can't
see how PHP or PmWiki can know the password.
For example, on my protected wikis I use Apache BA to authenticate the
users. PmWiki only has to look at the authenticated user name to grant
or deny access. There is no way I can see that it has access to the
password.
--
Neil Herber
Corporate info at http://www.eton.ca/
More information about the pmwiki-users
mailing list