Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 12 Mar 2014 10:56:28 +0100
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: Re: CVE request: claws-mail vcalendar plugin
	stores user/password in cleartext

On Wed, Mar 12, 2014 at 08:33:45AM +0000, Paul wrote:
> On Mon, 10 Mar 2014 14:31:34 -0600
> "Vincent Danen" <vdanen@...hat.com> wrote: 
> 
> > Subject pretty much says it all.  It's not a very exciting flaw but
> > was brought to our attention.
> > 
> > References:
> > 
> > http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3099
> > https://bugzilla.redhat.com/show_bug.cgi?id=1074683
> 
> I believe that a CVE request for this is probably overkill.
> 
> The vCalendar plugin does not support login credentials when
> subscribing to a WebCal.
> 
> The user can work around this missing feature by adding their username
> and password to the URI, e.g.
> https://USERNAME:MYPASSWORD@...lserver/home/USERNAME/Calendar
> 
> The URI is stored in clear text, hence if the user chooses to work
> around the missing feature their un/pw will be stored in clear text.
> 
> Similar behaviour can be witnessed in a number of other apps. For
> example, if I bookmark
> https://USERNAME:MYPASSWORD@...lserver/home/USERNAME/Calendar in
> firefox, it will save the credentials in clear text.
> 
> There are some apps that will store what the user enters in a
> password field as clear text, however Claws Mail is not one of them.
> 
> Therefore, on the Claws Mail bug tracker, this is marked as a feature
> request and not as a security issue.
> 
> with regards

FWIW, the calendar plugin does not do SSL safely anyway, which I would
worry more about:
http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3105

Also the rssly plugin has the same issue
www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3106

Note comment by author(?):
"However, while I agree that CURLOPT_SSL_VERIFYHOST should probably be
enabled, I do not see any usefulness in enabling CURLOPT_SSL_VERIFYPEER. I
do not really buy into the extortion racket that certificate authority
companies run."

(The main claws-mail has different and very extensive ssl / certificate
 handling, a bit large to review quickly for me right now.)

Ciao, Marcus

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ