Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 28 Nov 2012 10:10:53 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Vincent Danen <vdanen@...hat.com>, Ricardo Mones <ricardo@...es.org>
Subject: Re: CVE request -- vCalendar plugin for Claws Mail:
 credentials exposed on interface

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ah I didn't reply to oss-sec somehow the first time around.

On 11/15/2012 05:36 AM, Ricardo Mones wrote:
> Hi,
> 
> This has been reported on our bugzilla: 
> http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2782
>
>
> 
There's still not fix available. Could a CVE id be allocated for
> this if appropriate?
> 
> thanks in advance,
> 
> P.S.: I'm not subscribed to the list.
> 

Ok so based on the bug entry:

=============
In some instances, it might be the case that the only possible way to
access a calendaring service is through https, and in such cases, the
only way to authenticate (at least within the confines of vCalendar)
is by embedding the username:password into the ics URL and/or have a
'private' url that shouldn't be shared.

In either case, after configuring a calendar and trying to access it,
the full url is displayed in the status tray when trying to poll the
calendar, something like:

Fetching
'https://user:password@...ver.example.com/location/of/my/Calendar'...

Thus, use of the vCalendar plugin really isn't suitable or secure for
such configurations!  In the scenarios above, the former is more of a
concern but neither is one you'd necessarily want to expose to prying
eyes.  Even a google calendar "private url", for example, is visible
it its entirety within the status tray.
=============


Basically for all password entry fields we usually **** them out by
default. As well AFAIK pretty much all applications that store
passwords in plain text don't display them by default when you open up
the password management screen (e.g. web browsers like Firefox). So in
general we have a well established trend of hiding plain text
passwords and not displaying them unless the users takes a specific
action to display them (e.g. "show hidden password").

Please use CVE-2012-5527 for this issue.


- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993
A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQtkWdAAoJEBYNRVNeJnmTXckP/0rzlvJj7Jyd8N1WMfoP9nPB
7r73cc96AT7uysVVbpcLItIr7q/IPlsK91JuQvv8Q33CIMaNRHdMCQB7kp0SDh4k
QFyZlOlnljq9vo/7dAe3fDtjdEee9wkYMk+HxzHWqRGc0g+7ORHmENeqGmDQSQWn
g2POj4I6xWZavbFV8G5SM6OowGycahcWdEIDySLPHfKbgW0sHQ3UBpMfFGpBGSxQ
Ps5YrGGHpeNDFBmq7IvP52Lm0RF632WcjyEqhgqaomKpUqpm1y+fIuExDa9Rhy7C
rl9dspslinPni1jaiNC7sSwuxdXlYQnI6pLts4wNWeuw45CSzaBd+vW4VyvppXwa
/QYnv59DAoewOgvkwYLtWjMiiqMQ5BtW/sqDtHuqXobAQO98guiIwtepBZs+lt55
KMlYm5/BomDXGt3qwuMbOVWrageGMGFT/1Ba+LSYRwJQRvyE3v3xatUZA+vcEodU
nryol0UIvu7heeKDtjWxy7+xt8Z7F9DWynrYMHrDsFryiBAta+SCLwh6U94jDbaT
sShbIckbxWFNtfGe1WbpabjljTfPrkzUTahL3a1PaVAO2vUZqM44w5dURg1SOs2b
2jggIxQDXeMwynmLz3DztCkfKtoSMxK1rJzHLdkLIh3HFLSBWHPmJspVcjsiT2pV
4pTE+MCIWI73MevucYkg
=hXNa
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.