subject:"Bug#962629\: rainloop\: Rainloop stores passwords in cleartext in logfile"

Bug#962629: rainloop: Rainloop stores passwords in cleartext in logfile

2023-05-27 Thread Guilhem Moulin

Control: tag -1 unreproducible

On Wed, 10 Jun 2020 at 23:19:41 +0200, Marco Herrn wrote:
> When writing into a logfile, rainloop writes the passwords of all
> login attempts (successful or not) into the logfile in cleartext.

FWIW I'm not able to reproduce this with the version from Debian buster
(1.12.1-2).  Stock config, just replaced ‘enable = Off’ with ‘enable = On’
in /etc/rainloop/application.ini's ‘[logs]’ section.  (‘hide_passwords’
remains set as per default.)  I see my username in the log, but the
passphrase is replaced with (a fixed number of) asterisks in both in
succesful and failed sessions:

INFO[DATA]: 
[DATE:27.05.23][OFFSET:-00][RL:1.12.1][PHP:7.3.31-1~deb10u3][IP:127.0.0.1][PID:976085][nginx/1.14.2][fpm-fcgi]
INFO[DATA]: 
[Suhosin:off][APC:off][MB:off][PDO:~][Streams:tcp,udp,unix,udg,ssl,tls,tlsv1.0,tlsv1.1,tlsv1.2]
REQUEST[NOTE]: [POST] http://127.0.0.1/?/Ajax/[]=/0/
AJAX[NOTE]: Action: DoLogin
POST[DATA]: 
{"Email":"guil...@example.net","Login":"","Password":"***","Language":"","AdditionalCode":"","AdditionalCodeSignMe":"0","SignMe":"0","Action":"Login","XToken":"[…]"}
IMAP[NOTE]: Start connection to "ssl://imap.example.net:993"
IMAP[NOTE]: Connected (success)
IMAP[DATA]: < * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE 
IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] howdy, ready.\r\n
IMAP[DATA]: > TAG1 AUTHENTICATE PLAIN\r\n
IMAP[DATA]: < + \r\n
IMAP[SECURE]: > ***\r\n
IMAP[DATA]: < TAG1 NO [AUTHENTICATIONFAILED] Authentication failed.\r\n
IMAP[WARNING]: MailSo\Imap\Exceptions\NegativeResponseException: 
MailSo-Imap-Exceptions-NegativeResponseException (ImapClient.php ~ 1874) in 
/usr/share/rainloop/app/libraries/MailSo/Imap/ImapClient.php:1874
Stack trace:
#0 /usr/share/rainloop/app/libraries/MailSo/Imap/ImapClient.php(1951): 
MailSo\Imap\ImapClient->validateResponse(Array)
#1 /usr/share/rainloop/app/libraries/MailSo/Imap/ImapClient.php(281): 
MailSo\Imap\ImapClient->parseResponseWithValidation()
#2 /usr/share/rainloop/app/libraries/MailSo/Mail/MailClient.php(92): 
MailSo\Imap\ImapClient->Login('guilhem@example', '***', '', true, false)
#3 /usr/share/rainloop/app/libraries/RainLoop/Model/Account.php(451): 
MailSo\Mail\MailClient->Login('guilhem@example', '***', '', true, false)
#4 /usr/share/rainloop/app/libraries/RainLoop/Actions.php(2078): 
RainLoop\Model\Account->IncConnectAndLoginHelper(Object(RainLoop\Plugins\Manager),
 Object(MailSo\Mail\MailClient), Object(RainLoop\Config\Application))
#5 /usr/share/rainloop/app/libraries/RainLoop/Actions.php(2329): 
RainLoop\Actions->CheckMailConnection(Object(RainLoop\Model\Account), true)
#6 /usr/share/rainloop/app/libraries/RainLoop/Actions.php(2381): 
RainLoop\Actions->LoginProcess('guilhem@example', '***', '', '', false)
#7 /usr/share/rainloop/app/libraries/RainLoop/ServiceActions.php(172): 
RainLoop\Actions->DoLogin()
#8 /usr/share/rainloop/app/libraries/RainLoop/Service.php(146): 
RainLoop\ServiceActions->ServiceAjax('')
#9 /usr/share/rainloop/app/libraries/RainLoop/Service.php(56): 
RainLoop\Service->localHandle()
#10 /usr/share/rainloop/app/libraries/RainLoop/Service.php(79): 
RainLoop\Service->__construct()
#11 /usr/share/rainloop/app/handle.php(94): RainLoop\Service::Handle()
#12 /usr/share/rainloop/include.php(228): include('/usr/share/rain...')
#13 /usr/share/rainloop/index.php(13): include('/usr/share/rain...')
#14 {main}
IMAP[NOTICE]: MailSo\Imap\Exceptions\NegativeResponseException: 
MailSo-Imap-Exceptions-NegativeResponseException (ImapClient.php ~ 1874) in 
/usr/share/rainloop/app/libraries/MailSo/Imap/ImapClient.php:1874
Stack trace:
#0 /usr/share/rainloop/app/libraries/MailSo/Imap/ImapClient.php(1951): 
MailSo\Imap\ImapClient->validateResponse(Array)
#1 /usr/share/rainloop/app/libraries/MailSo/Imap/ImapClient.php(281): 
MailSo\Imap\ImapClient->parseResponseWithValidation()
#2 /usr/share/rainloop/app/libraries/MailSo/Mail/MailClient.php(92): 
MailSo\Imap\ImapClient->Login('guilhem@example', '***', '', true, false)
#3 /usr/share/rainloop/app/libraries/RainLoop/Model/Account.php(451): 
MailSo\Mail\MailClient->Login('guilhem@example', '***', '', true, false)
#4 /usr/share/rainloop/app/libraries/RainLoop/Actions.php(2078): 
RainLoop\Model\Account->IncConnectAndLoginHelper(Object(RainLoop\Plugins\Manager),
 Object(MailSo\Mail\MailClient), Object(RainLoop\Config\Application))
#5 /usr/share/rainloop/app/libraries/RainLoop/Actions.php(2329): 
RainLoop\Actions->CheckMailConnection(Object(RainLoop\Model\Account), true)
#6 /usr/share/rainloop/app/libraries/RainLoop/Actions.php(2381): 
RainLoop\Actions->LoginProcess('guilhem@example', '***', '', '', false)
#7 /usr/share/rainloop/app/libraries/RainLoop/ServiceActions.php(172): 
RainLoop\Actions->DoLogin()
#8 /usr/share/rainloop/app/libraries/RainLoop/Service.php(146):

Bug#962629: [Pkg-javascript-devel] Bug#962629: rainloop: Rainloop stores passwords in cleartext in logfile

2020-06-17 Thread herrn

Hello Daniel,

I don't have the possibility to try out a newer version of rainloop, but
according to a recent comment on the github issue [1] this is really fixed
in version 1.14.0 of rainloop. So I assume that only applies to the current
stable release.

Nevertheless I see this bug as grave enough that in my opinion this has to
be mentioned prominently to users of the package or even better be fixed in
a downstream patch (if the actual cause of the problem is known).

Best regards
Marco


[1] 
https://github.com/RainLoop/rainloop-webmail/issues/1872#issuecomment-645547357

On Sun, Jun 14, 2020 at 10:13:23PM -0700, Daniel Ring wrote:
> Hello Marco,
> 
> I wasn't able to reproduce this issue in the current version of Rainloop.
> Passwords were replaced by asterisks in the logs with the hide_passwords
> option enabled (the default). Could you please check to see if package
> version 1.14.0-1, currently in testing/unstable, resolves the issue for you?
> 
> Fortunately the package version in stable is secure by default, as logging
> is disabled in the default config file. The GitHub issue has unfortunately
> been open for over a year with no comments from upstream, so they likely
> have no plans to address it.
> 
> -- Daniel
> 
> On 6/10/2020 2:19 PM, herrn at sout.de (Marco Herrn) wrote:
> > Package: rainloop
> > Version: 1.12.1-2
> > Severity: important
> > 
> > Dear Maintainer,
> > 
> > When writing into a logfile, rainloop writes the passwords of all login
> > attempts (successful or not) into the logfile in cleartext.
> > 
> > Rainloop provides an option 'hide_passwords' in the application.ini that
> > should prohibit that behaviour, which is by default set to 'On'. But
> > apparently this doesn't have any effect.
> > 
> > There is already an unresolved github issue about that topic:
> > https://github.com/RainLoop/rainloop-webmail/issues/1872
> > 
> > Even though this issue doesn't affect the actual usability of rainloop,
> > I set the severity to 'Important' as this is a security issue.
> > 
> > 
> > -- System Information:
> > Debian Release: 10.4
> >APT prefers stable-updates
> >APT policy: (500, 'stable-updates'), (500, 'stable')
> > Architecture: amd64 (x86_64)
> > 
> > Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU cores)
> > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
> > LANGUAGE=en_US:en (charmap=UTF-8)
> > Shell: /bin/sh linked to /usr/bin/dash
> > Init: systemd (via /run/systemd/system)
> > LSM: AppArmor: enabled
> > 
> > Versions of packages rainloop depends on:
> > ii  apache2 [httpd] 2.4.38-3+deb10u3
> > ii  ckeditor4.11.1+dfsg-1
> > ii  php-curl2:7.3+69
> > ii  php-fpm 2:7.3+69
> > ii  php-nrk-predis  1.0.0-1
> > ii  php-pclzip  2.8.2-4
> > ii  php-seclib  1.0.14-1
> > ii  php-xml 2:7.3+69
> > ii  php7.3-curl [php-curl]  7.3.14-1~deb10u1
> > ii  php7.3-fpm [php-fpm]7.3.14-1~deb10u1
> > ii  php7.3-json [php-json]  7.3.14-1~deb10u1
> > ii  php7.3-xml [php-xml]7.3.14-1~deb10u1
> > 
> > rainloop recommends no packages.
> > 
> > Versions of packages rainloop suggests:
> > pn  php5-sqlite | php5-mysql | php5-pgsql  
> > 
> > -- Configuration Files:
> > /etc/rainloop/application.ini changed [not included]
> > /etc/rainloop/rainloop.apache.conf changed [not included]
> > 
> > -- no debconf information
> >

Bug#962629: [Pkg-javascript-devel] Bug#962629: rainloop: Rainloop stores passwords in cleartext in logfile

2020-06-15 Thread Daniel Ring


Hello Marco,

I wasn't able to reproduce this issue in the current version of 
Rainloop. Passwords were replaced by asterisks in the logs with the 
hide_passwords option enabled (the default). Could you please check to 
see if package version 1.14.0-1, currently in testing/unstable, resolves 
the issue for you?


Fortunately the package version in stable is secure by default, as 
logging is disabled in the default config file. The GitHub issue has 
unfortunately been open for over a year with no comments from upstream, 
so they likely have no plans to address it.


-- Daniel

On 6/10/2020 2:19 PM, herrn at sout.de (Marco Herrn) wrote:

Package: rainloop
Version: 1.12.1-2
Severity: important

Dear Maintainer,

When writing into a logfile, rainloop writes the passwords of all login
attempts (successful or not) into the logfile in cleartext.

Rainloop provides an option 'hide_passwords' in the application.ini that
should prohibit that behaviour, which is by default set to 'On'. But
apparently this doesn't have any effect.

There is already an unresolved github issue about that topic:
https://github.com/RainLoop/rainloop-webmail/issues/1872

Even though this issue doesn't affect the actual usability of rainloop,
I set the severity to 'Important' as this is a security issue.


-- System Information:
Debian Release: 10.4
   APT prefers stable-updates
   APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages rainloop depends on:
ii  apache2 [httpd] 2.4.38-3+deb10u3
ii  ckeditor4.11.1+dfsg-1
ii  php-curl2:7.3+69
ii  php-fpm 2:7.3+69
ii  php-nrk-predis  1.0.0-1
ii  php-pclzip  2.8.2-4
ii  php-seclib  1.0.14-1
ii  php-xml 2:7.3+69
ii  php7.3-curl [php-curl]  7.3.14-1~deb10u1
ii  php7.3-fpm [php-fpm]7.3.14-1~deb10u1
ii  php7.3-json [php-json]  7.3.14-1~deb10u1
ii  php7.3-xml [php-xml]7.3.14-1~deb10u1

rainloop recommends no packages.

Versions of packages rainloop suggests:
pn  php5-sqlite | php5-mysql | php5-pgsql  

-- Configuration Files:
/etc/rainloop/application.ini changed [not included]
/etc/rainloop/rainloop.apache.conf changed [not included]

-- no debconf information

Bug#962629: rainloop: Rainloop stores passwords in cleartext in logfile

2020-06-10 Thread Marco Herrn

Package: rainloop
Version: 1.12.1-2
Severity: important

Dear Maintainer,

When writing into a logfile, rainloop writes the passwords of all login
attempts (successful or not) into the logfile in cleartext.

Rainloop provides an option 'hide_passwords' in the application.ini that
should prohibit that behaviour, which is by default set to 'On'. But
apparently this doesn't have any effect.

There is already an unresolved github issue about that topic:
https://github.com/RainLoop/rainloop-webmail/issues/1872

Even though this issue doesn't affect the actual usability of rainloop,
I set the severity to 'Important' as this is a security issue.


-- System Information:
Debian Release: 10.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages rainloop depends on:
ii  apache2 [httpd] 2.4.38-3+deb10u3
ii  ckeditor4.11.1+dfsg-1
ii  php-curl2:7.3+69
ii  php-fpm 2:7.3+69
ii  php-nrk-predis  1.0.0-1
ii  php-pclzip  2.8.2-4
ii  php-seclib  1.0.14-1
ii  php-xml 2:7.3+69
ii  php7.3-curl [php-curl]  7.3.14-1~deb10u1
ii  php7.3-fpm [php-fpm]7.3.14-1~deb10u1
ii  php7.3-json [php-json]  7.3.14-1~deb10u1
ii  php7.3-xml [php-xml]7.3.14-1~deb10u1

rainloop recommends no packages.

Versions of packages rainloop suggests:
pn  php5-sqlite | php5-mysql | php5-pgsql  

-- Configuration Files:
/etc/rainloop/application.ini changed [not included]
/etc/rainloop/rainloop.apache.conf changed [not included]

-- no debconf information

Bug#962629: rainloop: Rainloop stores passwords in cleartext in logfile

Bug#962629: [Pkg-javascript-devel] Bug#962629: rainloop: Rainloop stores passwords in cleartext in logfile

Bug#962629: [Pkg-javascript-devel] Bug#962629: rainloop: Rainloop stores passwords in cleartext in logfile

Bug#962629: rainloop: Rainloop stores passwords in cleartext in logfile

4 matches

Site Navigation

Mail list logo

Footer information