263823 - password gets sent in cleartext despite LOGINDISABLED / RFC 2595

Status: VERIFIED DUPLICATE of bug 218901

(MailNews Core :: Networking: IMAP, defect)

Description

[Sven Neuhaus]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040924 Galeon/1.3.16
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; de-AT; rv:1.7.3) Gecko/20040924 Debian/1.7.3-2

When connecting to a server that behaves according to RFC 2595 
(LOGINDISABLED capability), mozilla mail ignores this capability and proceeds to
sending the password in cleartext.

Reproducible: Always
Steps to Reproduce:
1. Connect to IMAP server that is configured according to RFC 2595
2. mozilla mail checks server's capabilities.


Actual Results:  
mozilla mail ignores "LOGINDISABLED" capability and sends mail password in the
clear.

Expected Results:  
mozilla mail should send "STARTTLS" and encrypt the following data.
Under no circumstances the mail password should be sent in the clear if the
server has LOGINDISABLED.


Here's a dump from ethereal:

* OK eulerei Cyrus IMAP4 v2.2.8 server ready

1 capability

* CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE
UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS LOGINDISABLED

1 OK Completed

2 login "sn" "cleartext"

2 NO Login only available under a layer


This should qualify as a critical security bug as high-value personal
information (i.e. the password) gets revealed to an attacker listening in on the
communications.

Michael Fischer von Mollard [fvm (at) heise.de] helped finding this bug.

Comment 1

[Christian :Biesinger (don't email me, ping me on IRC)]

see also bug 218901

duplicate of bug 218901.

*** This bug has been marked as a duplicate of 218901 ***

Comment 2

[Daniel Veditz [:dveditz]]

dupe of non-confidential bug.