[Kroupware] Security Concern regarding Web-Interface
Bernhard Reiter
bernhard at intevation.de
Tue Aug 12 18:23:25 CEST 2003
On Tuesday 12 August 2003 14:29, Frank A. Zdarsky wrote:
> while looking at the HTML sources of the pages "Modify Existing
> {User|Maintainer|Administrator}" of the Kolab Server's web-interface, I
> noticed that they contain the respective passwords (and worse: in plain
> text!). This should be avoided for at least two reasons:
>
> a) Administrators gain access to the users' passwords, which these tend to
> use on other systems as well
> b) The web-pages including the passwords are stored on disk (at least in
> Internet Explorer by default)
Thanks for the report.
We are aware of this minor security problem.
https://intevation.de/roundup/roundup.cgi/kroupware/issue336
It is minor because a) the admin as other means to get the password,
so encrypting it in this place does not raise security much.
Any user should be clear
that he trust a server with the password he hands over.
For b) saving of urls should be disabled for other reasons, too.
If somebody get access to your files, they also get your password
the next time you type it or can place a trojan.
Naturally we plan to fix this problem in one of the subsequent releases.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2145 bytes
Desc: signature
Url : http://mail.kde.org/pipermail/kroupware/attachments/20030812/86e58dce/smime.bin
More information about the Kroupware
mailing list