Re: [Phpwiki-talk] Re: [phpwiki-checkins] CVS: phpwiki/lib WikiUserNew.php,NONE,1.1

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Bishop schrieb:
>>Joby Walker schrieb:
>>>If I am mistaken about what you are storing in the cookie ... then
>>>ignore.  But I am quite worried about this development.
>>
>>Well, I'm not so concerned about security with this password issue,
>>since it's only a wiki. nothing serious.
> 
> I've just read the section of code allowing me to use the imap
> authentication feature, which means my wiki passwords will be the same as
> my users' imap passwords - therefore the same as their account passwordson
> my mail server.  The risk of having those passwords stored remotely or
> passed over an insecure connection is a bit of a concern.

in case of external auth no passwords are stored anywhere.
it just checks for the correctness of the given username/password.

in case of external prefs (customizable with external auth also), also 
the other prefs are not stored in any page or cookie.

in case of loose PagePermissions and homepage stored prefs one could 
look at prefs of other users, with the metadata viewer plugin.

> PHPWiki runs well over an SSL connection, right?

PHPWiki runs well over an HTTPS connection, if the images are also on 
HTTPS (no external img src). otherwise you get lot of warnings.

I never did an IMAP connection over a secured connection (SSL, TLS, ...) 
yet. imap_open does support TLS/SSL if compiled against OpenSSL.
stunnel is the other possibility:
   see http://security.fi.infn.it/tools/stunnel/index-en.html
If this is not possible or the imap server does not support TLS/SSL, the 
given password is passed cleartext to the IMAP server (AUTH=PLAIN), same 
as with every unsecured mail client connection.

>>If I store sensitive data in cookies I do a symeteric encryption with a
>>secret key at the host, generated at install time.
> 
> Where's that part of the code?  I want to make sure it's being run like it
> should on %post in the RPM as well.

in other projects of mine. in my tep addons (oscommerce.org) for 
example. not in phpwiki yet.

>>but it's true that certain pref data shouldn't be stored in cookies:
>>passwd (for security), email (. just the basic prefs for username and
>>layout.
>>otherwise the user has to create a homepage.
>>okay?

> Okay.  Phew.  Thanks.

nada.
-- 
Reini Urban
http://xarch.tu-graz.ac.at/home/rurban/