Barry Dwyer wrote:
>
> I noted two things about vchkpw/qmailadmin that might merit fixing in
> the next release of vpopmail:
>
> 1. When you add a new pop user using qmailadmin, the "Successfully
> Added" message that appears on the page includes the new user's password
> in large plain text. Not only a "shoulder-hugger" problem but I suppose
> this could also end up in the browser's page cache.
Fixed. It's in the 0.36 devel version, not updated on web site yet.
>
> 2. When vchkpw has trouble authenticating a user against the default
> password cdb file, it writes a log message that includes the username
> *and* the password in plain text. Also not a good idea, IMHO.
We had alot of discussions about this. The reason why it was put in
was so system admins could debug what password someone was trying
to use. Admin says, "Your password is HHHHHH". User types in "hhhhhhh".
It seems like the default should be to not log the password.
And if the sys admin wants to, they should have an option to set it.
I updated the default setting to not log the password.
And included a new --enable-logging=p to include the
password in the failed attemp log.
Ken Jones
