[pmwiki-users] PmWIki AuthUser passwords stored in clear in PHPsession files
Maria McKinley
parody at u.washington.edu
Wed Oct 10 18:09:00 CDT 2007
On 10/10/07, Christophe David <pmwiki at christophedavid.org> wrote:
> > which temporary file contains the password ?
>
> The path for PHP session files is defined by "session.save_path" in
> php.ini. (phpinfo() should give you the settings on your system.)
>
> Details on http://www.php.net/session .
>
> The files are plain text with all variables stored in clear.
>
> Thank you for your help.
>
> Christophe
>
This is definitely a problem, thanks for pointing it out. On my
system, it saves to /tmp, which is not readable from the web, but
still a bad idea. The trick is to encrypt it. I tried the code below
in my config.php, but I must not have the syntax correct. Maybe
someone with more php knowledge can help us out:
$DefaultPasswords['edit'] = crypt('id:*');
cheers,
maria
More information about the pmwiki-users
mailing list