[imp] Passwd Module: Security vulnerability ???

Eric Rostetter eric.rostetter at physics.utexas.edu
Tue Jul 15 21:00:11 PDT 2003


Quoting Ashwin Kotian <ashwin at comstocksys.com>:

> I'm using the Passwd 2.2 module available at Horde to use with IMP 3.2.x .

Great!  You might want to join the sork mailing list (see http://lists.horde.org)

> However with the documented configuration, it seems that any normal user who
> logs into IMP can change anyone else's password since the Username display
> field is also available to him.

Only if they know the other users username and password.  If they know the
other users username and password, well then you have bigger problems then
the password module.

> Is there any way to disable the Username
> field for any logged in IMP user for the Password module, so that he can
> change only his own password & not anyone else's.

I think in the current version, the only way is to modify the code (just
remove the username field from the code).  But the user can just download
the code, modify it back, and run it, so it won't really help much.

Originally you couldn't specify the username.  Then people requested it,
so it was added.  Then support for guest users was added, so it was needed.
Maybe in the next release we can make it a config option.

> If there is no way to do
> this right now, it'd seem to be a security vulnerability, wouldn't it !!!

Nope, not at all.  No more than any other login access (like the IMP or
Horde login page for example).

-- 
Eric Rostetter
The Department of Physics
The University of Texas at Austin
 
Why get even? Get odd!


More information about the imp mailing list