Re: [PHPiCalendar-DEV] Real admin page

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Wesley,

On 12/1/05, Wesley Miaw <we...@we...> wrote:
>
> Being able to modify the values such as to show events or todos may
> expose information the calendar owner or server administrator doesn't
> want to expose. Supporting webcals from a site that doesn't initially
> want to do that may result in abuse of their installation. The
> tmp_dir and calendar path provide information about the web server's
> internals which could be bad if revealed.
>
> Certainly accessing and/or modifying this information is ideally
> restricted. All I'm saying is that by exposing this on a web page,
> we're opening ourselves up to additional security concerns and in my
> opinion the benefits are negligible.

 Ok.
The idea is to let just the admin modifying those parameters, under the
secure admin area.
So if apache is well configured, it would be any problem.

I'll work on it next week, when I'll be less busy, and call you back for
analysing the effectivness.

I still don't understand your question, sorry?

Login/pass seem to be used only for admin purpose.
And according to the code, 'admin' is an apache authenticated user, so i'm
not sure, it's usefull to duplicate it (and in a clear format).

I don't see much alternative to having a plaintext username/password
> for the admin login. You want to do a client-side one-way hash or
> something? Or something more complicated like SiteKey?
>

Yes a ('homemade' ?) hash or a web base auth. as we already use in '
publish.ical.php'.

Let stand this point until I give you something to (crack), look at.

Nicolas.