Abstract:
---------
TWIG is a popular free application framework. Some of its features
are Webmail (through IMAP), Newsgroups (usenet), Bookmarks,
ToDo Lists, etc.
Problem Scope:
--------------
The default configuration of TWIG has no login security options
enabled. Whenever a person logins to a webmail service running
TWIG to check his E-mail, Usenet or any other kind of possible
uses TWIG may have, may lead to insecure storage of password in
cookies if the user doesn't issue logout. The password is stored
in plain text within some other rawurlencode()'d data.
An example of a cookie caught by Microsoft (C) Internet Explorer:
twig_authenticated
%3A2%3A%7Bs%3A8%3A%22username%22%3Bs%3A14%3A%22_MY_USER_NAME_%22
%3Bs%3A8%3A%22password%22%3Bs%3A13%3A%22_MY_PASSWORD_%22%3B%7D
some.server.com
I wrote a litle php script to decode this data to make things
more clear:
<?
echo rawurldecode("%3A2%3A%7Bs%3A8%3A%22username");
echo rawurldecode("%22%3Bs%3A14%3A%22_MY_USER_NAME_%22%3Bs");
echo rawurldecode("%3A8%3A%22password%22%3Bs%3A13%3A");
echo rawurldecode("%22_MY_PASSWORD_%22%3B%7D");
?>
And the results:
:2:{s:8:"username";s:14:"_MY_USER_NAME_";s:8:"password";s:13:
"_MY_PASSWORD_";
However, the username and password are always in plain text.
FIX:
-----
For Admins:
Pick your favorite text editor and edit the file
<twig-prefix>/config/config.php (or possibly .php3)
change the following values:
Change:
$config["security"] = "basic";
To:
$config["security"] = "advanced"; // be paranoid
And:
$config["login_handler"] = "cookie";
To:
$config["login_handler"] = "securecookie.php4session";
Or check the other options described in TWIG documents.
For Users:
Try to reproduce this bug. If you get your username
and password written in plain text on your Webmail
session cookies.
1- Alert your Webmail Service Admin.
2- Always logout (no matter what!)
3- Make sure when you logout, there's no cookie file
containing any private information, regarding your
session during the use of TWIG.
Contacts:
----------
- The author was contacted at Wednesday, November 28, 2001
4:05 PM and a reply was received after 20 minutes.
- Some institutions who were caught running TWIG with this
misconfiguration were alerted and fixed the problem.
Acknowledgments:
----------------
- Christopher Heschong <chris@screwdriver.net>
For the fast response and for pointing me to the obvious
options.
- AL Research Group
Relevant Links:
---------------
Twig Website
http://screwdriver.net/twig/
PHP
http://www.php.net
Best regards,
-Gon�alo.
