Date: Wed, 12 Mar 2014 10:56:28 +0100 From: Marcus Meissner <meissner@...e.de> To: oss-security@...ts.openwall.com Subject: Re: Re: CVE request: claws-mail vcalendar plugin stores user/password in cleartext On Wed, Mar 12, 2014 at 08:33:45AM +0000, Paul wrote: > On Mon, 10 Mar 2014 14:31:34 -0600 > "Vincent Danen" <vdanen@...hat.com> wrote: > > > Subject pretty much says it all. It's not a very exciting flaw but > > was brought to our attention. > > > > References: > > > > http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3099 > > https://bugzilla.redhat.com/show_bug.cgi?id=1074683 > > I believe that a CVE request for this is probably overkill. > > The vCalendar plugin does not support login credentials when > subscribing to a WebCal. > > The user can work around this missing feature by adding their username > and password to the URI, e.g. > https://USERNAME:MYPASSWORD@...lserver/home/USERNAME/Calendar > > The URI is stored in clear text, hence if the user chooses to work > around the missing feature their un/pw will be stored in clear text. > > Similar behaviour can be witnessed in a number of other apps. For > example, if I bookmark > https://USERNAME:MYPASSWORD@...lserver/home/USERNAME/Calendar in > firefox, it will save the credentials in clear text. > > There are some apps that will store what the user enters in a > password field as clear text, however Claws Mail is not one of them. > > Therefore, on the Claws Mail bug tracker, this is marked as a feature > request and not as a security issue. > > with regards FWIW, the calendar plugin does not do SSL safely anyway, which I would worry more about: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3105 Also the rssly plugin has the same issue www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3106 Note comment by author(?): "However, while I agree that CURLOPT_SSL_VERIFYHOST should probably be enabled, I do not see any usefulness in enabling CURLOPT_SSL_VERIFYPEER. I do not really buy into the extortion racket that certificate authority companies run." (The main claws-mail has different and very extensive ssl / certificate handling, a bit large to review quickly for me right now.) Ciao, Marcus
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.