Hello,
I noticed that passwords are output in plain text to the imap log file if imap_debug is set to true in main.inc.php. If I don't configure my web server correctly (e.g. don't set AllowOverride with Apache) then the log file may be downloaded from the logs directory, exposing the passwords. Obviously it pays to make sure that my web server is configured correctly, but since this is an easy mistake to make I think it would be worthwhile masking passwords in the imap debug log. I attach a patch that does just that.
Regards, Chris January
hey,
On 17/11/2009 Chris January wrote:
I noticed that passwords are output in plain text to the imap log file if imap_debug is set to true in main.inc.php. If I don't configure my web server correctly (e.g. don't set AllowOverride with Apache) then the log file may be downloaded from the logs directory, exposing the passwords. Obviously it pays to make sure that my web server is configured correctly, but since this is an easy mistake to make I think it would be worthwhile masking passwords in the imap debug log. I attach a patch that does just that.
yes, please please accept this patch upstream. i consider it as a major security issue if plaintext passwords are logged to a logfile, even if that's only with debugging options enabled.
greetings, jonas
--- 8< --- detachments --- 8< --- The following attachments have been detached and are available for viewing. http://detached.gigo.com/rc/14/wA9CuLwM/signature.asc Only click these links if you trust the sender, as well as this message. --- 8< --- detachments --- 8< ---
List info: http://lists.roundcube.net/dev/
-
Chris January -
Jonas Meurer