mailing list archives
Re: CVE request -- vCalendar plugin for Claws Mail: credentials exposed on interface
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 28 Nov 2012 10:10:53 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Ah I didn't reply to oss-sec somehow the first time around.
On 11/15/2012 05:36 AM, Ricardo Mones wrote:
This has been reported on our bugzilla:
There's still not fix available. Could a CVE id be allocated for
this if appropriate?
thanks in advance,
P.S.: I'm not subscribed to the list.
Ok so based on the bug entry:
In some instances, it might be the case that the only possible way to
access a calendaring service is through https, and in such cases, the
only way to authenticate (at least within the confines of vCalendar)
is by embedding the username:password into the ics URL and/or have a
'private' url that shouldn't be shared.
In either case, after configuring a calendar and trying to access it,
the full url is displayed in the status tray when trying to poll the
calendar, something like:
'https://user:password () server example com/location/of/my/Calendar'...
Thus, use of the vCalendar plugin really isn't suitable or secure for
such configurations! In the scenarios above, the former is more of a
concern but neither is one you'd necessarily want to expose to prying
eyes. Even a google calendar "private url", for example, is visible
it its entirety within the status tray.
Basically for all password entry fields we usually **** them out by
default. As well AFAIK pretty much all applications that store
passwords in plain text don't display them by default when you open up
the password management screen (e.g. web browsers like Firefox). So in
general we have a well established trend of hiding plain text
passwords and not displaying them unless the users takes a specific
action to display them (e.g. "show hidden password").
Please use CVE-2012-5527 for this issue.
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993
A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----