[Kroupware] Security Concern regarding Web-Interface

[Bernhard Reiter]

On Tuesday 12 August 2003 20:08, Frank A. Zdarsky wrote:
> On Tuesday 12 August 2003 16:25, Bernhard Reiter wrote:
> > On Tuesday 12 August 2003 14:29, Frank A. Zdarsky wrote:
> > > while looking at the HTML sources of the pages "Modify Existing
> > > {User|Maintainer|Administrator}" of the Kolab Server's web-interface, I
> > > noticed that they contain the respective passwords (and worse: in plain
> > > text!). This should be avoided for at least two reasons:
> > >
> > > a) Administrators gain access to the users' passwords, which these tend to
> > > use on other systems as well
> > > b) The web-pages including the passwords are stored on disk (at least
> > > in Internet Explorer by default)
> >
> > Thanks for the report.
> >
> > We are aware of this minor security problem.
> > https://intevation.de/roundup/roundup.cgi/kroupware/issue336
>
> I'm sorry, I think I did not make myself clear enough. I was not referring
> to the problem of the password being visible in the URL when sending the
> form data. I tried to point out that the output of create_user.php (the
> html source) contains the password in plain text, e.g.:

I didn't read your post carefully enough.
Thanks for being persistant, we now also see the bug here.

I've opened an issue for it:
https://intevation.de/roundup/roundup.cgi/kroupware/issue368
Erfrakon is working on it.

> Not only is it plain text instead of a hash-value, it should not be there
> at all! Maybe I'm wrong, but I don't see why this field needs to have any
> default value. Is it necessary to update the password in the database on
> every submit instead of only when it changes?

It is not necessary to always update the password.
Your analysis is correct.

	Bernhard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2145 bytes
Desc: signature
Url : http://mail.kde.org/pipermail/kroupware/attachments/20030813/08118a3d/smime.bin