[imp] Re: encrypted login password in form
Enrique
ecastro at dbbf.ulpgc.es
Sat Jul 24 09:47:19 PDT 2004
Michael Yingbull wrote:
>
> On 23-Jul-04, at 11:38 AM, Enrique wrote:
>> My university uses Horde/IMP as main WebMail system for staff and
>> students. I want to integrate this mail system with other tools. I
>> know how to login using a hidden form. However, the examples I have
>> seen expose passwords in plain text in the hidden form.
>
> Just use IMP in SSL mode. Any credential you pass in plain text is
> still in plain text. If your IMP runs over https instead of http,
> you'll get the encryption of the plain text traffic (password and
> otherwise) you're looking for.
>
Thanks for your answer Michael, however, I am worried by other things in
addition to traffic. The example I have found usues a hidden form in an
auto-submit way, like code posted by Tejeerd van der Zee on 16/08/2002
(see below)
It does work and I can log into IMP from my web application, but the
intermediary page get displayed for quite a long time. An user can view
the source of this page and there he will find the password, in plain text.
I am working in a University. It is common to have computers open for
whoever pass by. I wonder what happen if a malicious one just disable
the javascript in a couple of computers and ask some students to test if
their mail is working. The access fail, the student goes and bad one can
now inspect the form code.
This is the code I am using now (from Tejeerd van der Zee)
<?
$imapuser = $_GET['imapuser'];
$pass = $_GET['pass'];
$realm = $_GET['realm'];
$imapuser = "$imapuser@$realm";
print ("
<html>
<head>
</head>
<body bgcolor=\"#444466\" Onload=\"javascript:document.redirect.submit()\" >
<form name=redirect action=\"http://mail.xar.nl/imp/redirect.php\"
method=post>
<input type=hidden name=actionID value=\"105\" />
<input type=hidden name=redirect_url value=\"\" />
<input type=hidden name=mailbox value=\"INBOX.\" />
<input type=hidden name=imapuser value=$imapuser>
<input type=hidden name=pass value=$pass>
</form>
</body>
</html>
");
?>
----
Enrique Castro
Dpto. de Bioquímica
ULPGC
More information about the imp
mailing list