Re: [PHPiCalendar-DEV] Real admin page

[Wesley M. <we...@we...>]

Hi Nicolas,

>> I would consider the calendar path, things like webcals, showing
>> events, showing todos, login, the tmp_dir, and all of those login
>> things like locked cals, etc to be secret information also.
>
> What is damaging in seeing all thoses information (I'm not talking,  
> of course, about login) ?
> Calendars are access restricted, by the htaccess procedure, and  
> everything else is just information, in a readonly (well configure)  
> anonymous web server ...

Being able to modify the values such as to show events or todos may  
expose information the calendar owner or server administrator doesn't  
want to expose. Supporting webcals from a site that doesn't initially  
want to do that may result in abuse of their installation. The  
tmp_dir and calendar path provide information about the web server's  
internals which could be bad if revealed.

Certainly accessing and/or modifying this information is ideally  
restricted. All I'm saying is that by exposing this on a web page,  
we're opening ourselves up to additional security concerns and in my  
opinion the benefits are negligible.

>> > What are their practical uses ?
>> > Entering the 'admin' page and publishing (I'm not sure, they're  
>> really
>> > useful in it), what else ?
>>
>> Not sure what your question is?
>
> A part of entering the admin page and publishing calendars, where  
> the couple login/pass is used, in phpicalendar ? (I'm thinking of  
> getting rid of plaintext password, because THAT is a real security  
> breach)

I still don't understand your question, sorry?

I don't see much alternative to having a plaintext username/password  
for the admin login. You want to do a client-side one-way hash or  
something? Or something more complicated like SiteKey?

Later,
--
Wesley Miaw
we...@we...