phpgroupware-developers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Phpgroupware-developers] security

From: Jose Cabrera
Subject: RE: [Phpgroupware-developers] security
Date: Thu, 31 Oct 2002 16:56:04 -0800 
Hello,

"any encryption used would have to be reversible"

This is not entirely true.

Since header.inc.php is written to when installing phpGroupWare, just
add some code to encrypt the password before it is written to the file.

For the log in scripts, just have them use the same encryption on the
user submission before comparing the user submission and what is on
file.

This is a small modification and is probably worth while.

-Jose

-----Original Message-----
From: address@hidden
[mailto:address@hidden On Behalf Of Chris Weiss
Sent: Thursday, October 31, 2002 6:52 AM
To: address@hidden
Subject: Re: [Phpgroupware-developers] security


depends on how well you trust your users and how you allow them to
access your system.  If you use filemanager/phpwebhosting and have the
file uploading inside the web root then it is possible that a user could
upload a php script that prints out the passwords.  This is actually
true of any open php project that allows uploads /inside of the web
root/.  If course, you could just add an apache directive to disallow
scripts under the "files" dir or have the files dir outside of the web
root so a controled php script has to read the uploaded file and pass it
through cleanly, no direct access to run the script.

Since the password is not ever transfered over HTTP, plain text isn't
that big of an issue, and any encryption used would have to be
reversable, and since the source is openly available that becomes only
slightly better than a plain text password.


sigurdne (address@hidden) wrote*:
>
>How secure is the passwords given in "header.inc.php"
>Is it possible with some kind of encryption?
>My company's database manager is not particularly happy by the fact 
>that the database password is stored in plain text.
>
>Regards Sigurd Nes
>
>
>
>
>_______________________________________________
>Phpgroupware-developers mailing list address@hidden
>http://mail.gnu.org/mailman/listinfo/phpgroupware-developers
>



_______________________________________________
Phpgroupware-developers mailing list
address@hidden
http://mail.gnu.org/mailman/listinfo/phpgroupware-developers
reply via email to
[Prev in Thread] Current Thread [Next in Thread]