| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20031228134911.GA1279@satellite.workgroup.fr> From: eguaj at free.fr (Jérôme Augé) Subject: gkrellm 2.1.19 email user/password storage in clear text On Sat, Dec 27, 2003 at 03:03:36PM -0800, christopher neitzert wrote: > Hi all, > > I couldn't find this when searching through the list archives so I > presume it hasn't been posted yet. > > From gkrellm-2.1.19 rpm base: > > ~user/.gkrellm/user-config stores passwords for IMAP, IMAP-CRAM-MD5, > and POP in clear text. > > From ~user/.gkrellm/user-config > -- > mail mailbox-remote IMAP_(CRAM-MD5) some.server.com "username" > "password" 143 "inbox" > -- > > Can anyone confirm that this is true on other versions/platforms? > Yes, this is true, login and password are stored in clear text and I don't think this is a security flaw, this is the expected behaviour. On my system (Redhat FC1) the `user-config' file is not readable by other users or groups : $ ls -l user-config -rw------- 1 jauge jauge 3287 Dec 28 14:24 user-config So I don't consider this a problem... There are plenty of files that store password in clear text like the .netrc or .fetchmailrc file. The only requirement for such file is to be correctly protected with a chmod/umask and this user-config file seems correctly protected. Regards, J?r?me -- <ESC>:r $HOME/.signature<CR>
Powered by blists - more mailing lists