Fwd: Re: [imp] Vulnerabilities in IMP/PHP

Chuck Hagenbuch chuck@horde.org
Mon, 19 Aug 2002 12:32:22 -0400



----- Forwarded message from bjorn.grotan@itea.ntnu.no -----
    Date: Mon, 19 Aug 2002 18:29:54 +0200
    From: Bjørn Ove Grøtan <bjorn.grotan@itea.ntnu.no>
Reply-To: Bjørn Ove Grøtan <bjorn.grotan@itea.ntnu.no>
 Subject: Re: [imp] Vulnerabilities in IMP/PHP
      To: Chuck Hagenbuch <chuck@horde.org>

Chuck Hagenbuch:
> 
> Quoting Bjørn Ove Grøtan <bjorn.grotan@itea.ntnu.no>:
> 
> I'm not responding to most of this, because it belongs on the php lists 
or 
> as a contribution to the FAQ to _help_ people, not a bogus security 
warning 
> to scare them. However, this last statement is _very_ misleading.
> 
> Unless you have turned off cookies, the encryption key is a completely 
> random string with no relation to the session id. 

Hmm - if you say so. My eyes didn't read so on Friday but.

> If you _have_ turned off 
> cookies, though, we have absolutely zero way of getting a reliable key 
> known to the client and no one else, so in that case, yes, we use the 
> session id and the name of the webserver - anything else would be exposed 
> to the webserver user, as well. Which leads me to my last point...

Wouldn't you get a more reliable key if using the client hostname rather
than the webserver hostname? A session-file may live quite long if one
does not have automatic delete on old files in the chosen folder.

> ... If you're concerned about security, why on earth would you let non-
> trusted users run scripts on the same machine?

I meant that as a general warning that in my opinion should be in
a e.g. security-section in a README file of IMP or equivilent.
There are more ignorant web-administrators in the world than I would
like to imagine.

I'm aware of most of my issues are concerned with the standards of PHP and 
such. But, as more and more people are using IMP - some of which aren't that
experienced with securing webservers, it would be a good idea (in my
opinion at least) to give some clues on how to secure it. A small paper
on how to run a secure is by far better than having to browse through some
slides that may or may not have a few qew-words on security-issues 
(e.g. http://www.horde.org/papers/kongress2001-imp/) 

The paper mentioned above - also suggest NFS for Single Session Store. I 
would
strongly not recommend this. The other suggestion of using msession 
is in my opinion far better.  

Best regards

Bjørn Ove Grøtan

----- End forwarded message -----


-chuck

--
Charles Hagenbuch, <chuck@horde.org>
"After a few minutes the most aromatic and nice smelling Italian coffee 
 will come out of the exhaustpipe." - Our stove-top espresso pot