[imp] Passwd Module: Security vulnerability ???
Ashwin Kotian
ashwin at comstocksys.com
Tue Jul 15 17:37:20 PDT 2003
I'm using the Passwd 2.2 module available at Horde to use with IMP 3.2.x . However with the documented configuration, it seems that any normal user who logs into IMP can change anyone else's password since the Username display field is also available to him. Is there any way to disable the Username field for any logged in IMP user for the Password module, so that he can change only his own password & not anyone else's. If there is no way to do this right now, it'd seem to be a security vulnerability, wouldn't it !!!
More information about the imp
mailing list