[dev] security issue with latest horde.
Ronan SALMON
rsalmon at mbpgroup.com
Wed Apr 8 15:14:43 UTC 2009
Hi,
On my test server, using latest horde/imp/kronolith/ingo. User gets authenticated through IMP.
$conf['auth']['params']['app'] = 'imp';
$conf['auth']['driver'] = 'application';
Once logged in, change url into something like http://<server>/horde/dummy. As expected, an error comes up :
NO ROUTES MATCH THE PATH: "HORDE/DUMMY"
object(Horde_Controller_Exception)#44 (6) { ["message:protected"]=> string(39) "No routes match the path: "horde/dummy"" ["string:private"]=> string(0) "" ["code:protected"]=> int(0) ["file:protected"]=> string(47) "/usr/share/pear/Horde/Controller/Dispatcher.php" ["line:protected"]=> int(151) ["trace:private"]=> array(2) {
...
The problem is that, if you look for "password", you'll see the user's password and in my case, ingo vfs's driver password.
I surelly have all the debug options turned on (and should be turned off on production servers!), but I think passwords shouldn't be shown as plain text.
Can someone reproduce this ?
Ronan
More information about the dev
mailing list