[imp] Password disclosure

Jan Schneider jan@horde.org
Fri, 23 Nov 2001 14:20:41 +0100

Previous message: Password disclosure
Next message: [imp] Password disclosure
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Zitat von Lars Hecking <lhecking@nmrc.ucc.ie>:

> 
>  imp 3.0-rc2 leaves tons of files with names like
> 
>   sess_7992dce8b32fab7400409226f3bef63d
> 
>  behind in /tmp. These files are chmod 0600 and owned by the user id
> that
>  runs httpd.
> 
>  These files contain session details, among them the user passwords
>  in cleartext!
> 
>  Am I correct assuming this is a php issue? Where should I report it?

No, this is our issue. People asked so many times to make the login 
credentials available to all Horde apps, that we put it in the session 
data. Unfortunately no one had the time so far to store it encrypted.

But that will hopefully be fixed before the release.

Jan.

::::::::::::::::::::::::::::::::::::::::
AMMMa AG - discover your knowledge
:::::::::::::::::::::::::::
Detmolder Str. 25-33 :: D-33604 Bielefeld
fon +49.521.96878-0 :: fax  +49.521.96878-20
http://www.ammma.de
::::::::::::::::::::::::::::::::::::::::::::::

Previous message: Password disclosure
Next message: [imp] Password disclosure
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]