Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20140312095628.GC22894@suse.de>
Date: Wed, 12 Mar 2014 10:56:28 +0100
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: Re: CVE request: claws-mail vcalendar plugin
	stores user/password in cleartext

On Wed, Mar 12, 2014 at 08:33:45AM +0000, Paul wrote:
> On Mon, 10 Mar 2014 14:31:34 -0600
> "Vincent Danen" <vdanen@...hat.com> wrote: 
> 
> > Subject pretty much says it all.  It's not a very exciting flaw but
> > was brought to our attention.
> > 
> > References:
> > 
> > http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3099
> > https://bugzilla.redhat.com/show_bug.cgi?id=1074683
> 
> I believe that a CVE request for this is probably overkill.
> 
> The vCalendar plugin does not support login credentials when
> subscribing to a WebCal.
> 
> The user can work around this missing feature by adding their username
> and password to the URI, e.g.
> https://USERNAME:MYPASSWORD@...lserver/home/USERNAME/Calendar
> 
> The URI is stored in clear text, hence if the user chooses to work
> around the missing feature their un/pw will be stored in clear text.
> 
> Similar behaviour can be witnessed in a number of other apps. For
> example, if I bookmark
> https://USERNAME:MYPASSWORD@...lserver/home/USERNAME/Calendar in
> firefox, it will save the credentials in clear text.
> 
> There are some apps that will store what the user enters in a
> password field as clear text, however Claws Mail is not one of them.
> 
> Therefore, on the Claws Mail bug tracker, this is marked as a feature
> request and not as a security issue.
> 
> with regards

FWIW, the calendar plugin does not do SSL safely anyway, which I would
worry more about:
http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3105

Also the rssly plugin has the same issue
www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3106

Note comment by author(?):
"However, while I agree that CURLOPT_SSL_VERIFYHOST should probably be
enabled, I do not see any usefulness in enabling CURLOPT_SSL_VERIFYPEER. I
do not really buy into the extortion racket that certificate authority
companies run."

(The main claws-mail has different and very extensive ssl / certificate
 handling, a bit large to review quickly for me right now.)

Ciao, Marcus

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.