[phpesp-dev] security vulnerability: user clear-text password stored in session?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

All,

I'm still reviewing the authorization code (to get a better =20
understanding of how I can implement the previously described =20
"landing" page listing a user's surveys, history, etc), and I see this =20
beginning at public/handler-prefix.php:107

             if ($_REQUEST['password'] !=3D "") {
                 $_SESSION['esppass'] =3D $_REQUEST['password'];
             }
             if (isset($_SESSION['esppass'])) {
                 $esppass =3D $_SESSION['esppass'];
             }

If I'm reading the code correctly, authentication for survey access, =20
both the first and each subsequent time, happens by pushing the user's =20
session-stored, clear text password through survey_auth().  Am I =20
reading that correctly?

If so, anyone with read access to the session data (either =20
misconfigured files or database tables) can read the passwords for all =20
currently authenticated users.

Question: Instead of this approach, can't an authenticated bit be =20
stored and checked by survey_auth()?  I'm currently in the process of =20
refactoring survey_auth() in both the authentication mechanisms, so if =20
I'm reading this code right and a bit would work, I can make the =20
change while in the code.

Thanks,
bishop

--=20
Bishop Bettini
ideacode, Inc.
(main) +1 919 341 5170 / (fax) +1 919 521 4100

Visit us on the web at:
ideacode.com          Professional software research and development
reviewmysoftware.com  Improve sales! Review your software before you release
bytejar.com           Solutions to those annoying development problems