[Tickets #1883] NEW: Insecure: sensitive data in login screen
bugs@bugs.horde.org
bugs at bugs.horde.org
Thu Apr 28 07:39:57 PDT 2005
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/?id=1883
-----------------------------------------------------------------------
Ticket | 1883
Created By | ben.sommer at enc.edu
Summary | Insecure: sensitive data in login screen
Queue | IMP
Version | 4.0.3
State | New
Priority | 3. High
Type | Enhancement
Owners |
-----------------------------------------------------------------------
ben.sommer at enc.edu (2005-04-28 07:39) wrote:
In 'imp/templates/login/login.inc' there are several hidden form fields that
expose potentially sensitive network information - including the private IP
address of the mail server, TCP port number, mail protocol, and whether TLS
is on or off. There's no need for this data to be sent to clients, other
than for programmers' convenience.
<snip>
<input type="hidden" name="server" value="10.100.0.23" />
<input type="hidden" name="port" value="143" />
<input type="hidden" name="namespace" value="INBOX." />
<input type="hidden" name="maildomain" value="enc.edu" />
<input type="hidden" name="protocol" value="imap/notls" />
</snip>
More information about the bugs
mailing list