|
Message-ID: <20140312083345.7abb8419@thewildbeast>
Date: Wed, 12 Mar 2014 08:33:45 +0000
From: Paul <paul@...ws-mail.org>
To: "OSS Security List" <oss-security@...ts.openwall.com>
Subject: Re: CVE request: claws-mail vcalendar plugin stores user/password
in cleartext
On Mon, 10 Mar 2014 14:31:34 -0600
"Vincent Danen" <vdanen@...hat.com> wrote:
> Subject pretty much says it all. It's not a very exciting flaw but
> was brought to our attention.
>
> References:
>
> http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3099
> https://bugzilla.redhat.com/show_bug.cgi?id=1074683
I believe that a CVE request for this is probably overkill.
The vCalendar plugin does not support login credentials when
subscribing to a WebCal.
The user can work around this missing feature by adding their username
and password to the URI, e.g.
https://USERNAME:MYPASSWORD@...lserver/home/USERNAME/Calendar
The URI is stored in clear text, hence if the user chooses to work
around the missing feature their un/pw will be stored in clear text.
Similar behaviour can be witnessed in a number of other apps. For
example, if I bookmark
https://USERNAME:MYPASSWORD@...lserver/home/USERNAME/Calendar in
firefox, it will save the credentials in clear text.
There are some apps that will store what the user enters in a
password field as clear text, however Claws Mail is not one of them.
Therefore, on the Claws Mail bug tracker, this is marked as a feature
request and not as a security issue.
with regards
Paul
Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.