-
2008-06-23
malifice
I found this bug on the last version of Dokuwiki (DokuWiki Release 2008-05-05).
While checking the file conf/local.php I found out that my login and passwords for dokuwiki were stored in the fields $conf['proxy']['login'] and $conf['proxy']['pass'].
First thing, the password was not encrypted, and since I do not use a proxy I was quite surprised to find the fields nonempty and with read permission to anyone having access to the server, which means every single person working in my laboratory.
After trying to delete both fields using the administration page of my wiki, I manage to erase the login field but not the password: if I put an empty login and password, the login field is removed, but not the password field.
Second thing, after changing the login and password with fake ones, I found out that firefox was automatically filling these fields with my dokuwiki login and passwords. I think firefox mistakes these fields with the ones used for login in the wiki.
The temporary solution I found was to put a fake password and to disable firefox password memorization.
-
2008-06-25
Tblue
You could try to delete the two lines directly in conf/local.php. I think you can delete saved passwords for a certain site in Firefox (at least in v3) and later prevent Firefox from saving them again. I don't think this is really a bug, although I agree that storing the password as plain text isn't very secure; maybe it should be encrypted with the same encryption method that is used for the account passwords (think of the passcrypt configuration option).
-
2008-06-25
Tblue
Oops, forgot something: I think the proxy wants a plain text password, so Dokuwiki cannot store an encrypted password.
-
2008-09-12
andi
As pointed out this is not really a bug in DokuWiki but is Firefox' password manager storing the password and filling it in again.
One way to prevent this would be to add the proprietary attribute autocomplete="off" to the password fields. This would not validate anymore. Alternativly the attribute could be added by JavaScript which would fool the validators but still would insert proprietary markup.
Any opinions by hour markup specialists?
-
2008-10-11
ach
I would probably add autocomplete="off" and do without 100% validity in this case ...
-
2008-10-11
andi
added autocomplete=off attribute