New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permissions issue with enigma plugin allows exfiltration of secret gpg key file #6173
Comments
I'm not sure what we could do here. Securing that directory is the same as securing the temp_dir of Roundcube. There's .htaccess file. It's also not writable by default so users have to set permissions (or the folder location) by their own. We could only add additional warning in README and sample config. |
I suppose using a strong password is in order and keep outside of the web folders like www. |
The best way is to move it out of the webserver's document root tree and configure the location with |
The problem is nginx doesn't use the .htaccess files provided and all of these automated install scripts use nginx as the web server. Reference https://bitbucket.org/zhb/iredmail/issues/130/multiple-security-issues-with-default |
To make the default installation more secure force users to set the folder. Added notes that it should be secured or not accessible from the web browser.
Fixed by adding some notes to README and removing default value for enigma_pgp_homedir. |
👍 Thanks |
Although this not exactly access to the secret key since it is password protected you still have to crack it.
See my reference here.
https://www.legacysecuritygroup.com/cve/references/02122018-roundcube-enigma.txt
The text was updated successfully, but these errors were encountered: