[imp] Password disclosure
Jan Schneider
jan@horde.org
Fri, 23 Nov 2001 14:20:41 +0100
Zitat von Lars Hecking <lhecking@nmrc.ucc.ie>:
>
> imp 3.0-rc2 leaves tons of files with names like
>
> sess_7992dce8b32fab7400409226f3bef63d
>
> behind in /tmp. These files are chmod 0600 and owned by the user id
> that
> runs httpd.
>
> These files contain session details, among them the user passwords
> in cleartext!
>
> Am I correct assuming this is a php issue? Where should I report it?
No, this is our issue. People asked so many times to make the login
credentials available to all Horde apps, that we put it in the session
data. Unfortunately no one had the time so far to store it encrypted.
But that will hopefully be fixed before the release.
Jan.
::::::::::::::::::::::::::::::::::::::::
AMMMa AG - discover your knowledge
:::::::::::::::::::::::::::
Detmolder Str. 25-33 :: D-33604 Bielefeld
fon +49.521.96878-0 :: fax +49.521.96878-20
http://www.ammma.de
::::::::::::::::::::::::::::::::::::::::::::::