Just looked at the contents of the dope
directory of my new acmemail installation.
Was shocked to know that passwords of logged in
users are in plaintext in files in this directory.
And the default permissions allow anybody
with an account on the web server to view these
files.
I changed the permissions to 700 for dope and
added "umask 0077" to acmemail.cgi. But this is
still serious. Can the passwords be kept encrypted in some form?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Wow, didn't even realize that. I've forwarded your concern to somebody who has been working on beefing up security in acmemail classic, so we'll see what happens there.
You probably want to upgrade to the CVS version of acmemail, as it has numerous security fixes, Cross Site Referer Forgery protection, session fixes, better encryption of passwords, etc. Check it out. Besides all those changes, nothing else has really changed, so we should really put out CVS as 2.2.3 soon.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Just looked at the contents of the dope
directory of my new acmemail installation.
Was shocked to know that passwords of logged in
users are in plaintext in files in this directory.
And the default permissions allow anybody
with an account on the web server to view these
files.
I changed the permissions to 700 for dope and
added "umask 0077" to acmemail.cgi. But this is
still serious. Can the passwords be kept encrypted in some form?
Wow, didn't even realize that. I've forwarded your concern to somebody who has been working on beefing up security in acmemail classic, so we'll see what happens there.
You probably want to upgrade to the CVS version of acmemail, as it has numerous security fixes, Cross Site Referer Forgery protection, session fixes, better encryption of passwords, etc. Check it out. Besides all those changes, nothing else has really changed, so we should really put out CVS as 2.2.3 soon.