[Kroupware] Security Concern regarding Web-Interface
Frank A. Zdarsky
frank.zdarsky at gmx.de
Tue Aug 12 21:08:51 CEST 2003
On Tuesday 12 August 2003 16:25, Bernhard Reiter wrote:
> On Tuesday 12 August 2003 14:29, Frank A. Zdarsky wrote:
> > while looking at the HTML sources of the pages "Modify Existing
> > {User|Maintainer|Administrator}" of the Kolab Server's web-interface, I
> > noticed that they contain the respective passwords (and worse: in plain
> > text!). This should be avoided for at least two reasons:
> >
> > a) Administrators gain access to the users' passwords, which these tend
to
> > use on other systems as well
> > b) The web-pages including the passwords are stored on disk (at least in
> > Internet Explorer by default)
>
> Thanks for the report.
>
> We are aware of this minor security problem.
> https://intevation.de/roundup/roundup.cgi/kroupware/issue336
I'm sorry, I think I did not make myself clear enough. I was not referring
to the problem of the password being visible in the URL when sending the
form data. I tried to point out that the output of create_user.php (the html
source) contains the password in plain text, e.g.:
[...]
<tr><td> Password </td><td>
<input type="password" name="password_0" size=50 maxlength=80
value="my_secret_password">
</td><td>Required</td></tr>
<tr><td> Verfiy Password </td><td>
<input type="password" name="password_1" size=50 maxlength=80
value="my_secret_password">
</td><td>Required</td></tr>
[...]
Not only is it plain text instead of a hash-value, it should not be there at
all! Maybe I'm wrong, but I don't see why this field needs to have any
default value. Is it necessary to update the password in the database on
every submit instead of only when it changes?
> It is minor because a) the admin as other means to get the password,
> so encrypting it in this place does not raise security much.
Okay, you've been referring to a different problem. I still think we have to
differentiate:
The unix user 'root' (resp. 'kolab') will have access to the _hash-value_ of
the user's password, on which he could then run a dictionary attack, or - as
you've mentioned - he could install a keyboard sniffer or else.
However, the _maintainers_ or _administrators_ of the kolab server should
not be able to read the user's chosen password or its hash at all, since all
they need to do is set a default password or reset to the default password.
> Any user should be clear
> that he trust a server with the password he hands over.
IMHO the user should be able to trust that his password on the server can
only be revealed by a minimal number of people and only with a certain
amount of effort. However, unnecessarily giving a potentially large group of
kolab administrators and maintainers access to the plain text password would
be a little too easy, I think.
> For b) saving of urls should be disabled for other reasons, too.
> If somebody get access to your files, they also get your password
> the next time you type it or can place a trojan.
If someone has the privilege to execute a trojan as root, then there is
little that can be done anyway. In the case I mentioned, read access would
be sufficient, although that would already be disturbing...
More information about the Kroupware
mailing list