IMAP password exposed via error dialog box #5472
Labels
Milestone
Comments
|
Yup, it should be anonymized as we do for debug logging. Or we should use only the command name (e.g. UID FETCH, SEARCH, etc.) instead of the full command with arguments. |
alecpl
added a commit
that referenced
this issue
Oct 15, 2016
alecpl
added a commit
that referenced
this issue
Oct 15, 2016
|
Fixed. |
ZiBiS
added a commit
to ZiBiS/roundcubemail
that referenced
this issue
Oct 17, 2016
* upstream/master: Fix bug where it wasn't possible to store more that 2MB objects in memcache/apc (roundcube#5452) Added memcache_max_allowed_packet and apc_max_allowed_packet settings assword: Added possibility to nicely handle password epiration from other plugins (roundcube#5468) Fix bug where IMAP password could be exposed via error message (roundcube#5472) Fix bug where deleting folders with subfolders could fail in some cases (roundcube#5466) Support HTML input to rcube_text_editor.replace() (roundcube#5456) Set smtp options in sample config as they are required now Optimize image size Bump database version Better icon and CSS styles for PGP-related attachments (roundcube#5301 and roundcube#5279) Add icons for pgp-keys and php-encrypted attachments (roundcube#5301 and roundcube#5279) Update changelog Fix flickering of header topline in min-mode (roundcube#5426) Do not show inline images of unsupported mimetype (roundcube#5463) SQL, upgrade: increase session table ip field size for IPv6 addresses
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Error conditions at IMAP server side (such as failure to response because of extremely high machine load) could expose a user's password when the LOGIN command fails and the
"Unable to send command: $request")string is displayed.https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube_imap_generic.php#L2031
The text was updated successfully, but these errors were encountered: