Date: Wed, 28 Nov 2012 10:10:53 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Vincent Danen <vdanen@...hat.com>, Ricardo Mones <ricardo@...es.org> Subject: Re: CVE request -- vCalendar plugin for Claws Mail: credentials exposed on interface -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ah I didn't reply to oss-sec somehow the first time around. On 11/15/2012 05:36 AM, Ricardo Mones wrote: > Hi, > > This has been reported on our bugzilla: > http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2782 > > > There's still not fix available. Could a CVE id be allocated for > this if appropriate? > > thanks in advance, > > P.S.: I'm not subscribed to the list. > Ok so based on the bug entry: ============= In some instances, it might be the case that the only possible way to access a calendaring service is through https, and in such cases, the only way to authenticate (at least within the confines of vCalendar) is by embedding the username:password into the ics URL and/or have a 'private' url that shouldn't be shared. In either case, after configuring a calendar and trying to access it, the full url is displayed in the status tray when trying to poll the calendar, something like: Fetching 'https://user:password@...ver.example.com/location/of/my/Calendar'... Thus, use of the vCalendar plugin really isn't suitable or secure for such configurations! In the scenarios above, the former is more of a concern but neither is one you'd necessarily want to expose to prying eyes. Even a google calendar "private url", for example, is visible it its entirety within the status tray. ============= Basically for all password entry fields we usually **** them out by default. As well AFAIK pretty much all applications that store passwords in plain text don't display them by default when you open up the password management screen (e.g. web browsers like Firefox). So in general we have a well established trend of hiding plain text passwords and not displaying them unless the users takes a specific action to display them (e.g. "show hidden password"). Please use CVE-2012-5527 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQtkWdAAoJEBYNRVNeJnmTXckP/0rzlvJj7Jyd8N1WMfoP9nPB 7r73cc96AT7uysVVbpcLItIr7q/IPlsK91JuQvv8Q33CIMaNRHdMCQB7kp0SDh4k QFyZlOlnljq9vo/7dAe3fDtjdEee9wkYMk+HxzHWqRGc0g+7ORHmENeqGmDQSQWn g2POj4I6xWZavbFV8G5SM6OowGycahcWdEIDySLPHfKbgW0sHQ3UBpMfFGpBGSxQ Ps5YrGGHpeNDFBmq7IvP52Lm0RF632WcjyEqhgqaomKpUqpm1y+fIuExDa9Rhy7C rl9dspslinPni1jaiNC7sSwuxdXlYQnI6pLts4wNWeuw45CSzaBd+vW4VyvppXwa /QYnv59DAoewOgvkwYLtWjMiiqMQ5BtW/sqDtHuqXobAQO98guiIwtepBZs+lt55 KMlYm5/BomDXGt3qwuMbOVWrageGMGFT/1Ba+LSYRwJQRvyE3v3xatUZA+vcEodU nryol0UIvu7heeKDtjWxy7+xt8Z7F9DWynrYMHrDsFryiBAta+SCLwh6U94jDbaT sShbIckbxWFNtfGe1WbpabjljTfPrkzUTahL3a1PaVAO2vUZqM44w5dURg1SOs2b 2jggIxQDXeMwynmLz3DztCkfKtoSMxK1rJzHLdkLIh3HFLSBWHPmJspVcjsiT2pV 4pTE+MCIWI73MevucYkg =hXNa -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ