RE: [Phpgroupware-developers] security

phpgroupware-developers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Phpgroupware-developers] security

From:	Chris Weiss
Subject:	RE: [Phpgroupware-developers] security
Date:	Fri, 01 Nov 2002 04:05:23 +0000

For the setup login that might work, but the database password would still have 
to
be plain text.


Jose Cabrera (address@hidden) wrote*:
>
>Hello,
>
>"any encryption used would have to be reversible"
>
>This is not entirely true.
>
>Since header.inc.php is written to when installing phpGroupWare, just
>add some code to encrypt the password before it is written to the file.
>
>For the log in scripts, just have them use the same encryption on the
>user submission before comparing the user submission and what is on
>file.
>
>This is a small modification and is probably worth while.
>
>-Jose
>
>-----Original Message-----
>From: address@hidden
>[mailto:address@hidden On Behalf Of Chris Weiss
>Sent: Thursday, October 31, 2002 6:52 AM
>To: address@hidden
>Subject: Re: [Phpgroupware-developers] security
>
>
>depends on how well you trust your users and how you allow them to
>access your system.  If you use filemanager/phpwebhosting and have the
>file uploading inside the web root then it is possible that a user could
>upload a php script that prints out the passwords.  This is actually
>true of any open php project that allows uploads /inside of the web
>root/.  If course, you could just add an apache directive to disallow
>scripts under the "files" dir or have the files dir outside of the web
>root so a controled php script has to read the uploaded file and pass it
>through cleanly, no direct access to run the script.
>
>Since the password is not ever transfered over HTTP, plain text isn't
>that big of an issue, and any encryption used would have to be
>reversable, and since the source is openly available that becomes only
>slightly better than a plain text password.
>
>
>sigurdne (address@hidden) wrote*:
>>
>>How secure is the passwords given in "header.inc.php"
>>Is it possible with some kind of encryption?
>>My company's database manager is not particularly happy by the fact
>>that the database password is stored in plain text.
>>
>>Regards Sigurd Nes
>>
>>
>>
>>
>>_______________________________________________
>>Phpgroupware-developers mailing list address@hidden
>>http://mail.gnu.org/mailman/listinfo/phpgroupware-developers
>>
>
>
>
>_______________________________________________
>Phpgroupware-developers mailing list
>address@hidden
>http://mail.gnu.org/mailman/listinfo/phpgroupware-developers
>
>
>_______________________________________________
>Phpgroupware-developers mailing list
>address@hidden
>http://mail.gnu.org/mailman/listinfo/phpgroupware-developers
>

[Prev in Thread]

Current Thread

[Next in Thread]

[Phpgroupware-developers] security, sigurdne, 2002/10/31
- Re: [Phpgroupware-developers] security, Bradley W. Langhorst, 2002/10/31
- Re: [Phpgroupware-developers] security, Chris Weiss, 2002/10/31
  - RE: [Phpgroupware-developers] security, Jose Cabrera, 2002/10/31
    - RE: [Phpgroupware-developers] security, Michael Dean, 2002/10/31
- RE: [Phpgroupware-developers] security, Chris Weiss <=

Prev by Date: RE: [Phpgroupware-developers] security
Previous by thread: RE: [Phpgroupware-developers] security
Index(es):
- Date
- Thread