[imp] Re: encrypted login password in form

Enrique ecastro at dbbf.ulpgc.es
Sat Jul 24 09:47:19 PDT 2004


Michael Yingbull wrote:
> 
> On 23-Jul-04, at 11:38 AM, Enrique wrote:
>>  My university uses Horde/IMP as main WebMail system for staff and 
>> students. I want to integrate this mail system with other tools. I 
>> know how to login using a hidden form. However, the examples I have 
>> seen expose passwords in plain text in the hidden form.
> 
> Just use IMP in SSL mode.   Any credential you pass in plain text is 
> still in plain text.   If your IMP runs over https instead of http, 
> you'll get the encryption of the plain text traffic (password and 
> otherwise) you're looking for.
> 

Thanks for your answer Michael, however, I am worried by other things in 
addition to traffic. The example I have found usues a hidden form in an 
auto-submit way, like code posted by Tejeerd van der Zee on 16/08/2002 
(see below)

It does work and I can log into IMP from my web application, but the 
intermediary page get displayed for quite a long time. An user can view 
the source of this page and there he will find the password, in plain text.
I am working in a University. It is common to have computers open for 
whoever pass by. I wonder what happen if a malicious one just disable 
the javascript in a couple of computers and ask some students to test if 
their mail is working. The access fail, the student goes and bad one can 
  now inspect the form code.


This is the code I am using now (from Tejeerd van der Zee)

<?
$imapuser = $_GET['imapuser'];
$pass = $_GET['pass'];
$realm = $_GET['realm'];
$imapuser = "$imapuser@$realm";

print ("
<html>
<head>
</head>
<body bgcolor=\"#444466\" Onload=\"javascript:document.redirect.submit()\" >
<form name=redirect action=\"http://mail.xar.nl/imp/redirect.php\"
method=post>
<input type=hidden name=actionID value=\"105\" />
<input type=hidden name=redirect_url value=\"\" />
<input type=hidden name=mailbox value=\"INBOX.\" />
<input type=hidden name=imapuser value=$imapuser>
<input type=hidden name=pass value=$pass>
</form>
</body>
</html>
");
?>

----
Enrique Castro
Dpto. de Bioquímica
ULPGC




More information about the imp mailing list