Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 12 Mar 2014 08:33:45 +0000
From: Paul <paul@...ws-mail.org>
To: "OSS Security List" <oss-security@...ts.openwall.com>
Subject: Re: CVE request: claws-mail vcalendar plugin stores user/password
 in cleartext

On Mon, 10 Mar 2014 14:31:34 -0600
"Vincent Danen" <vdanen@...hat.com> wrote: 

> Subject pretty much says it all.  It's not a very exciting flaw but
> was brought to our attention.
> 
> References:
> 
> http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3099
> https://bugzilla.redhat.com/show_bug.cgi?id=1074683

I believe that a CVE request for this is probably overkill.

The vCalendar plugin does not support login credentials when
subscribing to a WebCal.

The user can work around this missing feature by adding their username
and password to the URI, e.g.
https://USERNAME:MYPASSWORD@...lserver/home/USERNAME/Calendar

The URI is stored in clear text, hence if the user chooses to work
around the missing feature their un/pw will be stored in clear text.

Similar behaviour can be witnessed in a number of other apps. For
example, if I bookmark
https://USERNAME:MYPASSWORD@...lserver/home/USERNAME/Calendar in
firefox, it will save the credentials in clear text.

There are some apps that will store what the user enters in a
password field as clear text, however Claws Mail is not one of them.

Therefore, on the Claws Mail bug tracker, this is marked as a feature
request and not as a security issue.

with regards

Paul

Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.