The confirmation should really happen on a page with a META REFRESH that
leads back to the main page. The confirmation page SHOULD NOT display the
password.
Agreed.
----- Original Message -----
> I noted two things about vchkpw/qmailadmin that might merit fixing in
> the next release of vpopmail:
>
> 1. When you add a new pop user using qmailadmin, the "Successfully
> Added" message that appears on the page includes the new user's password
> in large plain text. Not only a "shoulder-hugger" problem but I suppose
> this could also end up in the browser's page cache.
>
> 2. When vchkpw has trouble authenticating a user against the default
> password cdb file, it writes a log message that includes the username
> *and* the password in plain text. Also not a good idea, IMHO.
