[Techtalk] php plain text password in /tmp
Maria McKinley
maria at shadlen.org
Wed Oct 10 23:18:03 UTC 2007
Well, still working on it, but I need to put something approximating
this in config.php:
$DefaultPasswords['edit'] = crypt('id:*');
Unfortunately, I don't have the syntax correct yet. The unencrypted
syntax was:
$DefaultPasswords['edit'] = 'id:*';
cheers,
maria
Gayathri Swaminathan wrote:
> There goes Maria talking to herself again ;-)
>
> How did you fix it?
>
> Gayathri
>
> On 10/10/07, *Maria McKinley* < maria at shadlen.org
> <mailto:maria at shadlen.org>> wrote:
>
> Maria McKinley wrote:
> > Hello,
> >
> > Recently it has come to my attention that the pmwiki built-in user
> > authentication system uses php, and that php is configured to save
> > session information in /tmp/, which includes passwords in plain text.
> > How big of a security risk is this (sounds pretty bad to me...), and
> > does anyone know what can be done about it?
> >
> > thanks,
> > maria
> > _______________________________________________
> > Techtalk mailing list
> > Techtalk at linuxchix.org <mailto:Techtalk at linuxchix.org>
> > http://mailman.linuxchix.org/mailman/listinfo/techtalk
>
> Nevermind, I think I figured out how to have it encrypted.
>
> ~maria
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.org <mailto:Techtalk at linuxchix.org>
> http://mailman.linuxchix.org/mailman/listinfo/techtalk
>
>
>
>
> --
> Gayathri Swaminathan
> gpgkey: 3EFB3D39
> Volunteer, FDP
More information about the Techtalk
mailing list