[dev] security issue with latest horde.

Ronan SALMON rsalmon at mbpgroup.com
Wed Apr 8 15:14:43 UTC 2009



Hi,

On my test server, using latest horde/imp/kronolith/ingo. User gets authenticated through IMP.
$conf['auth']['params']['app'] = 'imp';
$conf['auth']['driver'] = 'application';

Once logged in, change url into something like http://<server>/horde/dummy. As expected, an error comes up :

NO ROUTES MATCH THE PATH: &QUOT;HORDE/DUMMY&QUOT;

object(Horde_Controller_Exception)#44 (6) { ["message:protected"]=> string(39) "No routes match the path: "horde/dummy"" ["string:private"]=> string(0) "" ["code:protected"]=> int(0) ["file:protected"]=> string(47) "/usr/share/pear/Horde/Controller/Dispatcher.php" ["line:protected"]=> int(151) ["trace:private"]=> array(2) {  

...

The problem is that, if you look for "password", you'll see the user's password and in my case, ingo vfs's driver password. 

I surelly have all the debug options turned on (and should be turned off on production servers!), but I think passwords shouldn't be shown as plain text.

Can someone reproduce this ? 

Ronan
 


More information about the dev mailing list