mailing list archives
TWIG default configurations may lead to insecure auth-cookie password storage
From: Gonçalo Gomes <goncalo () microeuropa pt>
Date: Wed, 28 Nov 2001 22:16:53 -0500 (EST)
TWIG is a popular free application framework. Some of its features
are Webmail (through IMAP), Newsgroups (usenet), Bookmarks,
ToDo Lists, etc.
The default configuration of TWIG has no login security options
enabled. Whenever a person logins to a webmail service running
TWIG to check his E-mail, Usenet or any other kind of possible
uses TWIG may have, may lead to insecure storage of password in
cookies if the user doesn't issue logout. The password is stored
in plain text within some other rawurlencode()'d data.
An example of a cookie caught by Microsoft (C) Internet Explorer:
I wrote a litle php script to decode this data to make things
And the results:
However, the username and password are always in plain text.
Pick your favorite text editor and edit the file
<twig-prefix>/config/config.php (or possibly .php3)
change the following values:
$config["security"] = "basic";
$config["security"] = "advanced"; // be paranoid
$config["login_handler"] = "cookie";
$config["login_handler"] = "securecookie.php4session";
Or check the other options described in TWIG documents.
Try to reproduce this bug. If you get your username
and password written in plain text on your Webmail
1- Alert your Webmail Service Admin.
2- Always logout (no matter what!)
3- Make sure when you logout, there's no cookie file
containing any private information, regarding your
session during the use of TWIG.
- The author was contacted at Wednesday, November 28, 2001
4:05 PM and a reply was received after 20 minutes.
- Some institutions who were caught running TWIG with this
misconfiguration were alerted and fixed the problem.
- Christopher Heschong <chris () screwdriver net>
For the fast response and for pointing me to the obvious
- AL Research Group
- TWIG default configurations may lead to insecure auth-cookie password storage Gonçalo Gomes (Nov 28)