Full Disclosure mailing list archives
Re: gkrellm 2.1.19 email user/password storage in clear text
From: Jérôme Augé <eguaj () free fr>
Date: Sun, 28 Dec 2003 14:49:12 +0100
On Sat, Dec 27, 2003 at 03:03:36PM -0800, christopher neitzert wrote:
Hi all, I couldn't find this when searching through the list archives so I presume it hasn't been posted yet. From gkrellm-2.1.19 rpm base: ~user/.gkrellm/user-config stores passwords for IMAP, IMAP-CRAM-MD5, and POP in clear text. From ~user/.gkrellm/user-config -- mail mailbox-remote IMAP_(CRAM-MD5) some.server.com "username" "password" 143 "inbox" -- Can anyone confirm that this is true on other versions/platforms?
Yes, this is true, login and password are stored in clear text and I don't think this is a security flaw, this is the expected behaviour. On my system (Redhat FC1) the `user-config' file is not readable by other users or groups : $ ls -l user-config -rw------- 1 jauge jauge 3287 Dec 28 14:24 user-config So I don't consider this a problem... There are plenty of files that store password in clear text like the .netrc or .fetchmailrc file. The only requirement for such file is to be correctly protected with a chmod/umask and this user-config file seems correctly protected. Regards, Jérôme -- <ESC>:r $HOME/.signature<CR> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- gkrellm 2.1.19 email user/password storage in clear text christopher neitzert (Dec 27)
- Re: gkrellm 2.1.19 email user/password storage in clear text Ag. System Administrator (Dec 28)
- Re: gkrellm 2.1.19 email user/password storage in clear text Jérôme Augé (Dec 28)