Closed
Bug 263823
Opened 20 years ago
Closed 20 years ago
password gets sent in cleartext despite LOGINDISABLED / RFC 2595
Categories
(MailNews Core :: Networking: IMAP, defect)
Tracking
(Not tracked)
VERIFIED
DUPLICATE
of bug 218901
People
(Reporter: sven-mozilla, Assigned: Bienvenu)
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040924 Galeon/1.3.16 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; de-AT; rv:1.7.3) Gecko/20040924 Debian/1.7.3-2 When connecting to a server that behaves according to RFC 2595 (LOGINDISABLED capability), mozilla mail ignores this capability and proceeds to sending the password in cleartext. Reproducible: Always Steps to Reproduce: 1. Connect to IMAP server that is configured according to RFC 2595 2. mozilla mail checks server's capabilities. Actual Results: mozilla mail ignores "LOGINDISABLED" capability and sends mail password in the clear. Expected Results: mozilla mail should send "STARTTLS" and encrypt the following data. Under no circumstances the mail password should be sent in the clear if the server has LOGINDISABLED. Here's a dump from ethereal: * OK eulerei Cyrus IMAP4 v2.2.8 server ready 1 capability * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS LOGINDISABLED 1 OK Completed 2 login "sn" "cleartext" 2 NO Login only available under a layer This should qualify as a critical security bug as high-value personal information (i.e. the password) gets revealed to an attacker listening in on the communications. Michael Fischer von Mollard [fvm (at) heise.de] helped finding this bug.
Comment 1•20 years ago
|
||
see also bug 218901 duplicate of bug 218901. *** This bug has been marked as a duplicate of 218901 ***
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Updated•20 years ago
|
Product: MailNews → Core
Updated•16 years ago
|
Product: Core → MailNews Core
You need to log in
before you can comment on or make changes to this bug.
Description
•