[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [Full-Disclosure] gkrellm 2.1.19 email user/password storage in clear text
From: Jérôme Au <eguaj () free ! fr>
Date: 2003-12-28 13:49:12
[Download RAW message or body]
On Sat, Dec 27, 2003 at 03:03:36PM -0800, christopher neitzert wrote:
> Hi all,
>
> I couldn't find this when searching through the list archives so I
> presume it hasn't been posted yet.
>
> From gkrellm-2.1.19 rpm base:
>
> ~user/.gkrellm/user-config stores passwords for IMAP, IMAP-CRAM-MD5,
> and POP in clear text.
>
> From ~user/.gkrellm/user-config
> --
> mail mailbox-remote IMAP_(CRAM-MD5) some.server.com "username"
> "password" 143 "inbox"
> --
>
> Can anyone confirm that this is true on other versions/platforms?
>
Yes, this is true, login and password are stored in clear text and I
don't think this is a security flaw, this is the expected behaviour.
On my system (Redhat FC1) the `user-config' file is not readable by
other users or groups :
$ ls -l user-config
-rw------- 1 jauge jauge 3287 Dec 28 14:24 user-config
So I don't consider this a problem...
There are plenty of files that store password in clear text like the
.netrc or .fetchmailrc file. The only requirement for such file is to be
correctly protected with a chmod/umask and this user-config file seems
correctly protected.
Regards,
Jérôme
--
<ESC>:r $HOME/.signature<CR>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic