#295 Security hole in sess cookie
Hello,
i see a security hole in the implementationen of using the php-
session function. If you login into the nocc (0.9.7 and 1.0.0RC1) the
file "/tmp/sess_XYZABCD...." will be generated (if you setup in
php.ini /tmp as savefolder for php-sessions - this is the default) and
insite this file you can see the user-password in clear text format.
In our implementation of Courier-IMAP and LDAP authentication (for
unix systems) we use the same password for accounting.
Why is the password-field in the sess-file not crypted?
For a hacker it is not very heavily to break in a webserver, look into
the php.ini file to see were the php-sessions will be stored and have
a look into the sess_XYZABC files to get - in a easy way, without
cracking - the user and the password from one.
My test system is an Sun Solaris 9 machine with standard Apache
(1.3.31) with php 4.4.0 using open-SSL, Courierimap and iplanet-
LDAP.
We dont use suexec.
Logged In: YES
user_id=529507
Fixed in CVS.
It'll be included in next release.
But you can download daily snapshots at :
http://nocc.sourceforge.net/download/
Thanks for the bug report.