[pmwiki-users] PmWIki AuthUser passwords stored in clear in PHPsession files
Maria McKinley
parody at u.washington.edu
Tue Oct 16 00:29:28 CDT 2007
On 10/15/07, H. Fox <haganfox at users.sourceforge.net> wrote:
> On 10/15/07, Christophe David <christophe.david at christophedavid.org> wrote:
> > > FWIW cleartext passwords in config.php are avoidable if you use
> > > ?action=crypt and paste crypted passwords into the file.
> >
> > This is not relevant for this topic: we are talking about PHP session
> > files storing passwords in clear.
>
> The topic isn't necessarily that specific, considering this is the
> pmwiki-users list, not pmwiki-devel. First, here's the part you
> chopped out...
>
> >>On 10/12/07, Maria McKinley <parody at u.washington.edu> wrote:
> >>> Yes, I suppose if they could look at /tmp they could also look at
> >>> config.php, and get my admin password, which probably should not be
> >>> written out in plain text on the server either.
>
> Not everyone reading this thread -- possibly Maria included -- knows
> that you can crypt passwords in config.php. I thought a reminder
> about ?action=crypt might be helpful.
>
Indeed, had I known, I would have been doing this. Thanks for the tip,
and it seems close enough to on-topic to me to be worth posting to the
same thread.
thanks,
maria
> Anyone using a managed hosting service (or just about any server with
> other users) should be crypting their passwords in config.php whether
> they realize it or not. Now maybe some of them are aware of this who
> weren't aware before.
>
> Hagan
>
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>
--
Maria Mckinley
Scientific Programmer
Shadlen Lab
Physiology and Biophysics
Box 357290
University of Washington
(206) 616-3923
parody at u.washington.edu
More information about the pmwiki-users
mailing list