Fwd: Re: [imp] Vulnerabilities in IMP/PHP
Chuck Hagenbuch
chuck@horde.org
Mon, 19 Aug 2002 12:32:22 -0400
----- Forwarded message from bjorn.grotan@itea.ntnu.no -----
Date: Mon, 19 Aug 2002 18:29:54 +0200
From: Bjørn Ove Grøtan <bjorn.grotan@itea.ntnu.no>
Reply-To: Bjørn Ove Grøtan <bjorn.grotan@itea.ntnu.no>
Subject: Re: [imp] Vulnerabilities in IMP/PHP
To: Chuck Hagenbuch <chuck@horde.org>
Chuck Hagenbuch:
>
> Quoting Bjørn Ove Grøtan <bjorn.grotan@itea.ntnu.no>:
>
> I'm not responding to most of this, because it belongs on the php lists
or
> as a contribution to the FAQ to _help_ people, not a bogus security
warning
> to scare them. However, this last statement is _very_ misleading.
>
> Unless you have turned off cookies, the encryption key is a completely
> random string with no relation to the session id.
Hmm - if you say so. My eyes didn't read so on Friday but.
> If you _have_ turned off
> cookies, though, we have absolutely zero way of getting a reliable key
> known to the client and no one else, so in that case, yes, we use the
> session id and the name of the webserver - anything else would be exposed
> to the webserver user, as well. Which leads me to my last point...
Wouldn't you get a more reliable key if using the client hostname rather
than the webserver hostname? A session-file may live quite long if one
does not have automatic delete on old files in the chosen folder.
> ... If you're concerned about security, why on earth would you let non-
> trusted users run scripts on the same machine?
I meant that as a general warning that in my opinion should be in
a e.g. security-section in a README file of IMP or equivilent.
There are more ignorant web-administrators in the world than I would
like to imagine.
I'm aware of most of my issues are concerned with the standards of PHP and
such. But, as more and more people are using IMP - some of which aren't that
experienced with securing webservers, it would be a good idea (in my
opinion at least) to give some clues on how to secure it. A small paper
on how to run a secure is by far better than having to browse through some
slides that may or may not have a few qew-words on security-issues
(e.g. http://www.horde.org/papers/kongress2001-imp/)
The paper mentioned above - also suggest NFS for Single Session Store. I
would
strongly not recommend this. The other suggestion of using msession
is in my opinion far better.
Best regards
Bjørn Ove Grøtan
----- End forwarded message -----
-chuck
--
Charles Hagenbuch, <chuck@horde.org>
"After a few minutes the most aromatic and nice smelling Italian coffee
will come out of the exhaustpipe." - Our stove-top espresso pot