phpgroupware-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Phpgroupware-users] security/passwords

From: Ralf Utermann
Subject: Re: [Phpgroupware-users] security/passwords
Date: Thu, 27 Mar 2003 17:37:42 +0100
User-agent: Mutt/1.4i 
On Wed, Mar 26, 2003 at 04:56:10PM +0000, Chris Weiss wrote:
> >> >- The users' passwords during a session are kept in the
> >> >  the kp3 cookie, right? How does the encrypt/decrypt work?
> >> >  If I never use an application like email (and thus, the
> >> >  password is never needed) does phpgw nevertheless store it
> >> >  in the cookie? Could one add an option to set set 'secure flag'
> >> >  on this cookie?
> >>
> >> The passwords are kept encrypted in the session and stored on the server 
> >> and is
> >> never passed back to the browser for a cookie or anything else.  It's 
> >> stored
> using
> >> crypt/mcrypt so that it can be reversed to check email for you if you 
> >> would need
> it.
> >What is the kp3 cookie used for?
> >
> >greping and checking through the sources I see the following:
> >
> >- if in setup mcrypt is not enabled, then the users password is
> >  stored in cleartext (base64 encoded) in phpgw_app_sessions and
> >  the whole thing is essentially insecure. I checked this and
> >  could get the passwords from the database. With php-sessions
> >  it's probably the same string, just in some file in
> >  php's session directory
> >
> >- if mcrypt is enabled, one could have something secure.
> >  You cannot use crypt, because this is one way. For mcrypt's
> >  methods I would guess one would split the password and the (probably
> >  random generated) secret key between
> >  the server and the client. Either keep the encrypted password
> >  on the server and the key on the client (in a cookie) or vice versa.
> >  Could you describe the procedure which is used?
> 
> I'm not real familiar with it but here's my take:
> 
> The client is the server.  The browser never needs, or gets, the password.  If
> someone you don't trust has your database password and is reading you 
> database, you
> have much bigger problems than this.  The only way mcrypt will benefit you 
> over the
> base64 is if your sql server is on a seperate machine and you are worried 
> about
I will have the mysql server on the same machine as phpgw.

> someone packet sniffing.  Also keep in mind that upon login the password is
> transmited from the users browser to the web server in plain text.  This is a 
> web
> based app, it can only be as secure as the underlying protocols.  Run HTTPS 
> on the
> web server, use a stunnel for SQL, and properly secure both servers in a 
> general
> manner and you have little worry about.  There are very few ways to hack a
sure, there is only https psooible to the phpgw server

> phpGroupWare install, and as far as I know all of them first require the site 
> admin
> to leave some bad default in the web or sql servers or the system, or set
> some "world writeable" setting in a way that would allow someone to read their

I think one should definitely have a dedicated machine, NO other web apps (or
whatever  cgi's or even users) to avoid access to the apache readable
database password which then gives you access to all passwords. 
If phpgw really keeps the encrypted password + secret 
key in same location, you are always living dangerous ... . 

- I would prefer a situation where I can configure, whether
  phpgw should keep the password at all; if the user doesn't need
  email applications, we only need to set the session at login, never need
  the password in cleartext again, so why keep it? Only has risks.
- If I need the password again, I sure want to split the encrypted password
  and the key on different locations. I am not sure how good for example
  Squirrelmails implementation is, but in principle, they follow this
  architecture: they place the key at the server in the session
  and the encrypted password in a cookie on the browser. Maybe it's not
  more secure, but I would think so.
   
Would it be difficult, to disable the storage of the password in the
session? Login via mail/auth to phpgw, set up the session, but don't
keep the password?

Bye, Ralf
-- 
        Ralf Utermann
_____________________________________________________________________
        Universität Augsburg, Institut für Physik   --   EDV-Betreuer
        Universitätsstr.1             
        D-86135 Augsburg                     Phone:  +49-821-598-3231
        SMTP: address@hidden         Fax: -3411
reply via email to
[Prev in Thread] Current Thread [Next in Thread]