phpgroupware-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Phpgroupware-users] security/passwords

From: Ralf Utermann
Subject: Re: [Phpgroupware-users] security/passwords
Date: Wed, 26 Mar 2003 17:21:33 +0100
User-agent: Mutt/1.4i 
On Wed, Mar 26, 2003 at 02:43:00PM +0000, Chris Weiss wrote:
> 
> if you are using mail auth the password field in the accounts table is 
> ignored.
> When creating phpgw account you can enter the phpgw password as anything, it 
> will
> be ignored.
Ok. I had configured auto-create accounts and in this case, it
looks like phpgw imports the password although ignoring it for
authentication. It puts a different string (probably some padding or
random) if the user is defined by the admin first without 
password and logs in lateron.
> 
> >
> >- The users' passwords during a session are kept in the
> >  the kp3 cookie, right? How does the encrypt/decrypt work?
> >  If I never use an application like email (and thus, the
> >  password is never needed) does phpgw nevertheless store it
> >  in the cookie? Could one add an option to set set 'secure flag'
> >  on this cookie?
> 
> The passwords are kept encrypted in the session and stored on the server and 
> is
> never passed back to the browser for a cookie or anything else.  It's stored 
> using
> crypt/mcrypt so that it can be reversed to check email for you if you would 
> need it.
What is the kp3 cookie used for?

greping and checking through the sources I see the following:

- if in setup mcrypt is not enabled, then the users password is
  stored in cleartext (base64 encoded) in phpgw_app_sessions and
  the whole thing is essentially insecure. I checked this and
  could get the passwords from the database. With php-sessions
  it's probably the same string, just in some file in 
  php's session directory 

- if mcrypt is enabled, one could have something secure. 
  You cannot use crypt, because this is one way. For mcrypt's
  methods I would guess one would split the password and the (probably
  random generated) secret key between
  the server and the client. Either keep the encrypted password
  on the server and the key on the client (in a cookie) or vice versa.
  Could you describe the procedure which is used?

Thanks, Ralf
-- 
        Ralf Utermann
_____________________________________________________________________
        Universität Augsburg, Institut für Physik   --   EDV-Betreuer
        Universitätsstr.1             
        D-86135 Augsburg                     Phone:  +49-821-598-3231
        SMTP: address@hidden         Fax: -3411
reply via email to
[Prev in Thread] Current Thread [Next in Thread]