Bug#962629: rainloop: Rainloop stores passwords in cleartext in logfile
Control: tag -1 unreproducible On Wed, 10 Jun 2020 at 23:19:41 +0200, Marco Herrn wrote: > When writing into a logfile, rainloop writes the passwords of all > login attempts (successful or not) into the logfile in cleartext. FWIW I'm not able to reproduce this with the version from Debian buster (1.12.1-2). Stock config, just replaced ‘enable = Off’ with ‘enable = On’ in /etc/rainloop/application.ini's ‘[logs]’ section. (‘hide_passwords’ remains set as per default.) I see my username in the log, but the passphrase is replaced with (a fixed number of) asterisks in both in succesful and failed sessions: INFO[DATA]: [DATE:27.05.23][OFFSET:-00][RL:1.12.1][PHP:7.3.31-1~deb10u3][IP:127.0.0.1][PID:976085][nginx/1.14.2][fpm-fcgi] INFO[DATA]: [Suhosin:off][APC:off][MB:off][PDO:~][Streams:tcp,udp,unix,udg,ssl,tls,tlsv1.0,tlsv1.1,tlsv1.2] REQUEST[NOTE]: [POST] http://127.0.0.1/?/Ajax/[]=/0/ AJAX[NOTE]: Action: DoLogin POST[DATA]: {"Email":"guil...@example.net","Login":"","Password":"***","Language":"","AdditionalCode":"","AdditionalCodeSignMe":"0","SignMe":"0","Action":"Login","XToken":"[…]"} IMAP[NOTE]: Start connection to "ssl://imap.example.net:993" IMAP[NOTE]: Connected (success) IMAP[DATA]: < * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] howdy, ready.\r\n IMAP[DATA]: > TAG1 AUTHENTICATE PLAIN\r\n IMAP[DATA]: < + \r\n IMAP[SECURE]: > ***\r\n IMAP[DATA]: < TAG1 NO [AUTHENTICATIONFAILED] Authentication failed.\r\n IMAP[WARNING]: MailSo\Imap\Exceptions\NegativeResponseException: MailSo-Imap-Exceptions-NegativeResponseException (ImapClient.php ~ 1874) in /usr/share/rainloop/app/libraries/MailSo/Imap/ImapClient.php:1874 Stack trace: #0 /usr/share/rainloop/app/libraries/MailSo/Imap/ImapClient.php(1951): MailSo\Imap\ImapClient->validateResponse(Array) #1 /usr/share/rainloop/app/libraries/MailSo/Imap/ImapClient.php(281): MailSo\Imap\ImapClient->parseResponseWithValidation() #2 /usr/share/rainloop/app/libraries/MailSo/Mail/MailClient.php(92): MailSo\Imap\ImapClient->Login('guilhem@example', '***', '', true, false) #3 /usr/share/rainloop/app/libraries/RainLoop/Model/Account.php(451): MailSo\Mail\MailClient->Login('guilhem@example', '***', '', true, false) #4 /usr/share/rainloop/app/libraries/RainLoop/Actions.php(2078): RainLoop\Model\Account->IncConnectAndLoginHelper(Object(RainLoop\Plugins\Manager), Object(MailSo\Mail\MailClient), Object(RainLoop\Config\Application)) #5 /usr/share/rainloop/app/libraries/RainLoop/Actions.php(2329): RainLoop\Actions->CheckMailConnection(Object(RainLoop\Model\Account), true) #6 /usr/share/rainloop/app/libraries/RainLoop/Actions.php(2381): RainLoop\Actions->LoginProcess('guilhem@example', '***', '', '', false) #7 /usr/share/rainloop/app/libraries/RainLoop/ServiceActions.php(172): RainLoop\Actions->DoLogin() #8 /usr/share/rainloop/app/libraries/RainLoop/Service.php(146): RainLoop\ServiceActions->ServiceAjax('') #9 /usr/share/rainloop/app/libraries/RainLoop/Service.php(56): RainLoop\Service->localHandle() #10 /usr/share/rainloop/app/libraries/RainLoop/Service.php(79): RainLoop\Service->__construct() #11 /usr/share/rainloop/app/handle.php(94): RainLoop\Service::Handle() #12 /usr/share/rainloop/include.php(228): include('/usr/share/rain...') #13 /usr/share/rainloop/index.php(13): include('/usr/share/rain...') #14 {main} IMAP[NOTICE]: MailSo\Imap\Exceptions\NegativeResponseException: MailSo-Imap-Exceptions-NegativeResponseException (ImapClient.php ~ 1874) in /usr/share/rainloop/app/libraries/MailSo/Imap/ImapClient.php:1874 Stack trace: #0 /usr/share/rainloop/app/libraries/MailSo/Imap/ImapClient.php(1951): MailSo\Imap\ImapClient->validateResponse(Array) #1 /usr/share/rainloop/app/libraries/MailSo/Imap/ImapClient.php(281): MailSo\Imap\ImapClient->parseResponseWithValidation() #2 /usr/share/rainloop/app/libraries/MailSo/Mail/MailClient.php(92): MailSo\Imap\ImapClient->Login('guilhem@example', '***', '', true, false) #3 /usr/share/rainloop/app/libraries/RainLoop/Model/Account.php(451): MailSo\Mail\MailClient->Login('guilhem@example', '***', '', true, false) #4 /usr/share/rainloop/app/libraries/RainLoop/Actions.php(2078): RainLoop\Model\Account->IncConnectAndLoginHelper(Object(RainLoop\Plugins\Manager), Object(MailSo\Mail\MailClient), Object(RainLoop\Config\Application)) #5 /usr/share/rainloop/app/libraries/RainLoop/Actions.php(2329): RainLoop\Actions->CheckMailConnection(Object(RainLoop\Model\Account), true) #6 /usr/share/rainloop/app/libraries/RainLoop/Actions.php(2381): RainLoop\Actions->LoginProcess('guilhem@example', '***', '', '', false) #7 /usr/share/rainloop/app/libraries/RainLoop/ServiceActions.php(172): RainLoop\Actions->DoLogin() #8 /usr/share/rainloop/app/libraries/RainLoop/Service.php(146):
Bug#962629: [Pkg-javascript-devel] Bug#962629: rainloop: Rainloop stores passwords in cleartext in logfile
Hello Daniel, I don't have the possibility to try out a newer version of rainloop, but according to a recent comment on the github issue [1] this is really fixed in version 1.14.0 of rainloop. So I assume that only applies to the current stable release. Nevertheless I see this bug as grave enough that in my opinion this has to be mentioned prominently to users of the package or even better be fixed in a downstream patch (if the actual cause of the problem is known). Best regards Marco [1] https://github.com/RainLoop/rainloop-webmail/issues/1872#issuecomment-645547357 On Sun, Jun 14, 2020 at 10:13:23PM -0700, Daniel Ring wrote: > Hello Marco, > > I wasn't able to reproduce this issue in the current version of Rainloop. > Passwords were replaced by asterisks in the logs with the hide_passwords > option enabled (the default). Could you please check to see if package > version 1.14.0-1, currently in testing/unstable, resolves the issue for you? > > Fortunately the package version in stable is secure by default, as logging > is disabled in the default config file. The GitHub issue has unfortunately > been open for over a year with no comments from upstream, so they likely > have no plans to address it. > > -- Daniel > > On 6/10/2020 2:19 PM, herrn at sout.de (Marco Herrn) wrote: > > Package: rainloop > > Version: 1.12.1-2 > > Severity: important > > > > Dear Maintainer, > > > > When writing into a logfile, rainloop writes the passwords of all login > > attempts (successful or not) into the logfile in cleartext. > > > > Rainloop provides an option 'hide_passwords' in the application.ini that > > should prohibit that behaviour, which is by default set to 'On'. But > > apparently this doesn't have any effect. > > > > There is already an unresolved github issue about that topic: > > https://github.com/RainLoop/rainloop-webmail/issues/1872 > > > > Even though this issue doesn't affect the actual usability of rainloop, > > I set the severity to 'Important' as this is a security issue. > > > > > > -- System Information: > > Debian Release: 10.4 > >APT prefers stable-updates > >APT policy: (500, 'stable-updates'), (500, 'stable') > > Architecture: amd64 (x86_64) > > > > Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU cores) > > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), > > LANGUAGE=en_US:en (charmap=UTF-8) > > Shell: /bin/sh linked to /usr/bin/dash > > Init: systemd (via /run/systemd/system) > > LSM: AppArmor: enabled > > > > Versions of packages rainloop depends on: > > ii apache2 [httpd] 2.4.38-3+deb10u3 > > ii ckeditor4.11.1+dfsg-1 > > ii php-curl2:7.3+69 > > ii php-fpm 2:7.3+69 > > ii php-nrk-predis 1.0.0-1 > > ii php-pclzip 2.8.2-4 > > ii php-seclib 1.0.14-1 > > ii php-xml 2:7.3+69 > > ii php7.3-curl [php-curl] 7.3.14-1~deb10u1 > > ii php7.3-fpm [php-fpm]7.3.14-1~deb10u1 > > ii php7.3-json [php-json] 7.3.14-1~deb10u1 > > ii php7.3-xml [php-xml]7.3.14-1~deb10u1 > > > > rainloop recommends no packages. > > > > Versions of packages rainloop suggests: > > pn php5-sqlite | php5-mysql | php5-pgsql > > > > -- Configuration Files: > > /etc/rainloop/application.ini changed [not included] > > /etc/rainloop/rainloop.apache.conf changed [not included] > > > > -- no debconf information > >
Bug#962629: [Pkg-javascript-devel] Bug#962629: rainloop: Rainloop stores passwords in cleartext in logfile
Hello Marco, I wasn't able to reproduce this issue in the current version of Rainloop. Passwords were replaced by asterisks in the logs with the hide_passwords option enabled (the default). Could you please check to see if package version 1.14.0-1, currently in testing/unstable, resolves the issue for you? Fortunately the package version in stable is secure by default, as logging is disabled in the default config file. The GitHub issue has unfortunately been open for over a year with no comments from upstream, so they likely have no plans to address it. -- Daniel On 6/10/2020 2:19 PM, herrn at sout.de (Marco Herrn) wrote: Package: rainloop Version: 1.12.1-2 Severity: important Dear Maintainer, When writing into a logfile, rainloop writes the passwords of all login attempts (successful or not) into the logfile in cleartext. Rainloop provides an option 'hide_passwords' in the application.ini that should prohibit that behaviour, which is by default set to 'On'. But apparently this doesn't have any effect. There is already an unresolved github issue about that topic: https://github.com/RainLoop/rainloop-webmail/issues/1872 Even though this issue doesn't affect the actual usability of rainloop, I set the severity to 'Important' as this is a security issue. -- System Information: Debian Release: 10.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages rainloop depends on: ii apache2 [httpd] 2.4.38-3+deb10u3 ii ckeditor4.11.1+dfsg-1 ii php-curl2:7.3+69 ii php-fpm 2:7.3+69 ii php-nrk-predis 1.0.0-1 ii php-pclzip 2.8.2-4 ii php-seclib 1.0.14-1 ii php-xml 2:7.3+69 ii php7.3-curl [php-curl] 7.3.14-1~deb10u1 ii php7.3-fpm [php-fpm]7.3.14-1~deb10u1 ii php7.3-json [php-json] 7.3.14-1~deb10u1 ii php7.3-xml [php-xml]7.3.14-1~deb10u1 rainloop recommends no packages. Versions of packages rainloop suggests: pn php5-sqlite | php5-mysql | php5-pgsql -- Configuration Files: /etc/rainloop/application.ini changed [not included] /etc/rainloop/rainloop.apache.conf changed [not included] -- no debconf information
Bug#962629: rainloop: Rainloop stores passwords in cleartext in logfile
Package: rainloop Version: 1.12.1-2 Severity: important Dear Maintainer, When writing into a logfile, rainloop writes the passwords of all login attempts (successful or not) into the logfile in cleartext. Rainloop provides an option 'hide_passwords' in the application.ini that should prohibit that behaviour, which is by default set to 'On'. But apparently this doesn't have any effect. There is already an unresolved github issue about that topic: https://github.com/RainLoop/rainloop-webmail/issues/1872 Even though this issue doesn't affect the actual usability of rainloop, I set the severity to 'Important' as this is a security issue. -- System Information: Debian Release: 10.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages rainloop depends on: ii apache2 [httpd] 2.4.38-3+deb10u3 ii ckeditor4.11.1+dfsg-1 ii php-curl2:7.3+69 ii php-fpm 2:7.3+69 ii php-nrk-predis 1.0.0-1 ii php-pclzip 2.8.2-4 ii php-seclib 1.0.14-1 ii php-xml 2:7.3+69 ii php7.3-curl [php-curl] 7.3.14-1~deb10u1 ii php7.3-fpm [php-fpm]7.3.14-1~deb10u1 ii php7.3-json [php-json] 7.3.14-1~deb10u1 ii php7.3-xml [php-xml]7.3.14-1~deb10u1 rainloop recommends no packages. Versions of packages rainloop suggests: pn php5-sqlite | php5-mysql | php5-pgsql -- Configuration Files: /etc/rainloop/application.ini changed [not included] /etc/rainloop/rainloop.apache.conf changed [not included] -- no debconf information