[Pkg-javascript-devel] Bug#962629: rainloop: Rainloop stores passwords in cleartext in logfile
Marco Herrn
herrn at sout.de
Wed Jun 10 22:19:41 BST 2020
Package: rainloop
Version: 1.12.1-2
Severity: important
Dear Maintainer,
When writing into a logfile, rainloop writes the passwords of all login
attempts (successful or not) into the logfile in cleartext.
Rainloop provides an option 'hide_passwords' in the application.ini that
should prohibit that behaviour, which is by default set to 'On'. But
apparently this doesn't have any effect.
There is already an unresolved github issue about that topic:
https://github.com/RainLoop/rainloop-webmail/issues/1872
Even though this issue doesn't affect the actual usability of rainloop,
I set the severity to 'Important' as this is a security issue.
-- System Information:
Debian Release: 10.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages rainloop depends on:
ii apache2 [httpd] 2.4.38-3+deb10u3
ii ckeditor 4.11.1+dfsg-1
ii php-curl 2:7.3+69
ii php-fpm 2:7.3+69
ii php-nrk-predis 1.0.0-1
ii php-pclzip 2.8.2-4
ii php-seclib 1.0.14-1
ii php-xml 2:7.3+69
ii php7.3-curl [php-curl] 7.3.14-1~deb10u1
ii php7.3-fpm [php-fpm] 7.3.14-1~deb10u1
ii php7.3-json [php-json] 7.3.14-1~deb10u1
ii php7.3-xml [php-xml] 7.3.14-1~deb10u1
rainloop recommends no packages.
Versions of packages rainloop suggests:
pn php5-sqlite | php5-mysql | php5-pgsql <none>
-- Configuration Files:
/etc/rainloop/application.ini changed [not included]
/etc/rainloop/rainloop.apache.conf changed [not included]
-- no debconf information
More information about the Pkg-javascript-devel
mailing list