TWIG default configurations may lead to insecure auth-cookie password storage

[Gonçalo Gomes <goncalo () microeuropa pt>]

 Abstract:
 ---------

        TWIG is a popular free application framework. Some of its features
        are Webmail (through IMAP), Newsgroups (usenet), Bookmarks,
        ToDo Lists, etc.


 Problem Scope:
 --------------

        The default configuration of TWIG has no login security options
        enabled. Whenever a person logins to a webmail service running
        TWIG to check his E-mail, Usenet or any other kind of possible
        uses TWIG may have, may lead to insecure storage of password in
        cookies if the user doesn't issue logout. The password is stored
        in plain text within some other rawurlencode()'d data.

        An example of a cookie caught by Microsoft (C) Internet Explorer:

        twig_authenticated
        %3A2%3A%7Bs%3A8%3A%22username%22%3Bs%3A14%3A%22_MY_USER_NAME_%22
        %3Bs%3A8%3A%22password%22%3Bs%3A13%3A%22_MY_PASSWORD_%22%3B%7D
        some.server.com

        I wrote a litle php script to decode this data to make things
        more clear:

        <?
                echo rawurldecode("%3A2%3A%7Bs%3A8%3A%22username");
                echo rawurldecode("%22%3Bs%3A14%3A%22_MY_USER_NAME_%22%3Bs");
                echo rawurldecode("%3A8%3A%22password%22%3Bs%3A13%3A");
                echo rawurldecode("%22_MY_PASSWORD_%22%3B%7D");
        ?>

        And the results:

        :2:{s:8:"username";s:14:"_MY_USER_NAME_";s:8:"password";s:13:
        "_MY_PASSWORD_";

        However, the username and password are always in plain text.

 FIX:
 -----
        For Admins:

                Pick your favorite text editor and edit the file
                <twig-prefix>/config/config.php (or possibly .php3)
                change the following values:

                Change:
                $config["security"] = "basic";
                To:
                $config["security"] = "advanced"; // be paranoid

                And:

                $config["login_handler"] = "cookie";
                To:
                $config["login_handler"] = "securecookie.php4session";

                Or check the other options described in TWIG documents.

        For Users:

                Try to reproduce this bug. If you get your username
                and password written in plain text on your Webmail
                session cookies.

                1- Alert your Webmail Service Admin.
                2- Always logout (no matter what!)
                3- Make sure when you logout, there's no cookie file
                   containing any private information, regarding your
                   session during the use of TWIG.

 Contacts:
 ----------
        - The author was contacted at Wednesday, November 28, 2001
          4:05 PM and a reply was received after 20 minutes.

        - Some institutions who were caught running TWIG with this
          misconfiguration were alerted and fixed the problem.


 Acknowledgments:
 ----------------
 - Christopher Heschong <chris () screwdriver net>
        For the fast response and for pointing me to the obvious
        options.

 - AL Research Group


 Relevant Links:
 ---------------

 Twig Website
        http://screwdriver.net/twig/
 PHP
        http://www.php.net


 Best regards,
 -Gonçalo.