[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Phpgroupware-developers] security
From: |
Chris Weiss |
Subject: |
Re: [Phpgroupware-developers] security |
Date: |
Thu, 31 Oct 2002 14:52:29 +0000 |
depends on how well you trust your users and how you allow them to access your
system. If you use filemanager/phpwebhosting and have the file uploading inside
the web root then it is possible that a user could upload a php script that
prints
out the passwords. This is actually true of any open php project that allows
uploads /inside of the web root/. If course, you could just add an apache
directive to disallow scripts under the "files" dir or have the files dir
outside
of the web root so a controled php script has to read the uploaded file and
pass it
through cleanly, no direct access to run the script.
Since the password is not ever transfered over HTTP, plain text isn't that big
of
an issue, and any encryption used would have to be reversable, and since the
source
is openly available that becomes only slightly better than a plain text
password.
sigurdne (address@hidden) wrote*:
>
>How secure is the passwords given in header.inc.php
>Is it possible with some kind of encryption?
>My companys database manager is not particularly happy by the fact that the
>database password is stored in plain text.
>
>Regards Sigurd Nes
>
>
>
>
>_______________________________________________
>Phpgroupware-developers mailing list
>address@hidden
>http://mail.gnu.org/mailman/listinfo/phpgroupware-developers
>