[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] gkrellm 2.1.19 email user/password storage in clear text
- To: christopher neitzert <chris@neitzert.com>
- Subject: Re: [Full-Disclosure] gkrellm 2.1.19 email user/password storage in clear text
- From: Jérôme Augé <eguaj@free.fr>
- Date: Sun, 28 Dec 2003 14:49:12 +0100
On Sat, Dec 27, 2003 at 03:03:36PM -0800, christopher neitzert wrote:
> Hi all,
>
> I couldn't find this when searching through the list archives so I
> presume it hasn't been posted yet.
>
> From gkrellm-2.1.19 rpm base:
>
> ~user/.gkrellm/user-config stores passwords for IMAP, IMAP-CRAM-MD5,
> and POP in clear text.
>
> From ~user/.gkrellm/user-config
> --
> mail mailbox-remote IMAP_(CRAM-MD5) some.server.com "username"
> "password" 143 "inbox"
> --
>
> Can anyone confirm that this is true on other versions/platforms?
>
Yes, this is true, login and password are stored in clear text and I
don't think this is a security flaw, this is the expected behaviour.
On my system (Redhat FC1) the `user-config' file is not readable by
other users or groups :
$ ls -l user-config
-rw------- 1 jauge jauge 3287 Dec 28 14:24 user-config
So I don't consider this a problem...
There are plenty of files that store password in clear text like the
.netrc or .fetchmailrc file. The only requirement for such file is to be
correctly protected with a chmod/umask and this user-config file seems
correctly protected.
Regards,
Jérôme
--
<ESC>:r $HOME/.signature<CR>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html