[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Phpgroupware-users] security/passwords
From: |
Ralf Utermann |
Subject: |
Re: [Phpgroupware-users] security/passwords |
Date: |
Thu, 27 Mar 2003 17:37:42 +0100 |
User-agent: |
Mutt/1.4i |
On Wed, Mar 26, 2003 at 04:56:10PM +0000, Chris Weiss wrote:
> >> >- The users' passwords during a session are kept in the
> >> > the kp3 cookie, right? How does the encrypt/decrypt work?
> >> > If I never use an application like email (and thus, the
> >> > password is never needed) does phpgw nevertheless store it
> >> > in the cookie? Could one add an option to set set 'secure flag'
> >> > on this cookie?
> >>
> >> The passwords are kept encrypted in the session and stored on the server
> >> and is
> >> never passed back to the browser for a cookie or anything else. It's
> >> stored
> using
> >> crypt/mcrypt so that it can be reversed to check email for you if you
> >> would need
> it.
> >What is the kp3 cookie used for?
> >
> >greping and checking through the sources I see the following:
> >
> >- if in setup mcrypt is not enabled, then the users password is
> > stored in cleartext (base64 encoded) in phpgw_app_sessions and
> > the whole thing is essentially insecure. I checked this and
> > could get the passwords from the database. With php-sessions
> > it's probably the same string, just in some file in
> > php's session directory
> >
> >- if mcrypt is enabled, one could have something secure.
> > You cannot use crypt, because this is one way. For mcrypt's
> > methods I would guess one would split the password and the (probably
> > random generated) secret key between
> > the server and the client. Either keep the encrypted password
> > on the server and the key on the client (in a cookie) or vice versa.
> > Could you describe the procedure which is used?
>
> I'm not real familiar with it but here's my take:
>
> The client is the server. The browser never needs, or gets, the password. If
> someone you don't trust has your database password and is reading you
> database, you
> have much bigger problems than this. The only way mcrypt will benefit you
> over the
> base64 is if your sql server is on a seperate machine and you are worried
> about
I will have the mysql server on the same machine as phpgw.
> someone packet sniffing. Also keep in mind that upon login the password is
> transmited from the users browser to the web server in plain text. This is a
> web
> based app, it can only be as secure as the underlying protocols. Run HTTPS
> on the
> web server, use a stunnel for SQL, and properly secure both servers in a
> general
> manner and you have little worry about. There are very few ways to hack a
sure, there is only https psooible to the phpgw server
> phpGroupWare install, and as far as I know all of them first require the site
> admin
> to leave some bad default in the web or sql servers or the system, or set
> some "world writeable" setting in a way that would allow someone to read their
I think one should definitely have a dedicated machine, NO other web apps (or
whatever cgi's or even users) to avoid access to the apache readable
database password which then gives you access to all passwords.
If phpgw really keeps the encrypted password + secret
key in same location, you are always living dangerous ... .
- I would prefer a situation where I can configure, whether
phpgw should keep the password at all; if the user doesn't need
email applications, we only need to set the session at login, never need
the password in cleartext again, so why keep it? Only has risks.
- If I need the password again, I sure want to split the encrypted password
and the key on different locations. I am not sure how good for example
Squirrelmails implementation is, but in principle, they follow this
architecture: they place the key at the server in the session
and the encrypted password in a cookie on the browser. Maybe it's not
more secure, but I would think so.
Would it be difficult, to disable the storage of the password in the
session? Login via mail/auth to phpgw, set up the session, but don't
keep the password?
Bye, Ralf
--
Ralf Utermann
_____________________________________________________________________
Universität Augsburg, Institut für Physik -- EDV-Betreuer
Universitätsstr.1
D-86135 Augsburg Phone: +49-821-598-3231
SMTP: address@hidden Fax: -3411