[imp] Passwd Module: Security vulnerability ???

AJ aj at mindcrash.com
Tue Jul 15 17:58:23 PDT 2003


Place this in config/conf.php
$conf['user']['change'] = false;

Also, I don't believe the poppassd server will allow someone to change 
another user's password without prompting for the original password.
If they know the original password, all bets are off anyhow.

HTH
AJ


At 05:37 PM 7/15/2003 -0700, Ashwin Kotian wrote:
>I'm using the Passwd 2.2 module available at Horde to use with IMP 3.2.x . 
>However with the documented configuration, it seems that any normal user 
>who logs into IMP can change anyone else's password since the Username 
>display field is also available to him. Is there any way to disable the 
>Username field for any logged in IMP user for the Password module, so that 
>he can change only his own password & not anyone else's. If there is no 
>way to do this right now, it'd seem to be a security vulnerability, 
>wouldn't it !!!
>
>
>--
>IMP mailing list
>Frequently Asked Questions: http://horde.org/faq/
>To unsubscribe, mail: imp-unsubscribe at lists.horde.org



More information about the imp mailing list