Date: Wed, 12 Mar 2014 10:56:28 +0100 From: Marcus Meissner <meissner@...e.de> To: oss-security@...ts.openwall.com Subject: Re: Re: CVE request: claws-mail vcalendar plugin stores user/password in cleartext On Wed, Mar 12, 2014 at 08:33:45AM +0000, Paul wrote: > On Mon, 10 Mar 2014 14:31:34 -0600 > "Vincent Danen" <vdanen@...hat.com> wrote: > > > Subject pretty much says it all. It's not a very exciting flaw but > > was brought to our attention. > > > > References: > > > > http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3099 > > https://bugzilla.redhat.com/show_bug.cgi?id=1074683 > > I believe that a CVE request for this is probably overkill. > > The vCalendar plugin does not support login credentials when > subscribing to a WebCal. > > The user can work around this missing feature by adding their username > and password to the URI, e.g. > https://USERNAME:MYPASSWORD@...lserver/home/USERNAME/Calendar > > The URI is stored in clear text, hence if the user chooses to work > around the missing feature their un/pw will be stored in clear text. > > Similar behaviour can be witnessed in a number of other apps. For > example, if I bookmark > https://USERNAME:MYPASSWORD@...lserver/home/USERNAME/Calendar in > firefox, it will save the credentials in clear text. > > There are some apps that will store what the user enters in a > password field as clear text, however Claws Mail is not one of them. > > Therefore, on the Claws Mail bug tracker, this is marked as a feature > request and not as a security issue. > > with regards FWIW, the calendar plugin does not do SSL safely anyway, which I would worry more about: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3105 Also the rssly plugin has the same issue www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3106 Note comment by author(?): "However, while I agree that CURLOPT_SSL_VERIFYHOST should probably be enabled, I do not see any usefulness in enabling CURLOPT_SSL_VERIFYPEER. I do not really buy into the extortion racket that certificate authority companies run." (The main claws-mail has different and very extensive ssl / certificate handling, a bit large to review quickly for me right now.) Ciao, Marcus
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ