Re: [Postfixadmin-devel] Sicherheitshinweis für Postfixadmin
Brought to you by:
christian_boltz,
gingerdog
Menu
▾
▴
Re: [Postfixadmin-devel] Sicherheitshinweis für Postfixadmin
|
From: David G. <da...@co...> - 2010-08-23 11:08:27
|
> > On Aug 22, 2010, at 2:37 PM, Christian Boltz wrote: > > Hallo Herr Schinzel, > > > > (@David: please use google translate de -> en ;-) > > > > > Sorry for writing in German. Christian's name is clearly german > and it did not come to me that non-germans could be involved. > Don't worry; I have a Spanish friend who keeps me using http://translate.google.com :-) it's no great problem. Anyway, Christian is more active than I in the project at the moment, so you did at least choose correctly :) (As a side note, Christian is a common English name, yet there do indeed appear to be a lack of Boltz's in the telephone book - e.g. http://www.thephonebook.bt.com/publisha.content/en/search/residential/search.publisha?Surname=boltz&x=0&y=0&Location=LONDON&OriginalLocation=london&Range=xloc ) Christian - why don't your family emigrate and spread around the world a bit more? :-) ) Anyway, back on track : My only input is that a similar bug existed before - namely if you had an incorrect password postfixadmin displayed a slightly different message (e.g. invalid password) rather than the more secure "Invalid username and/or password". I think this was on the user login page. We did fix this, but it can be argued to be useful to tell the end user that their username is correct but password isn't. Ignorance would make me think that most admin's are going to be in the system as 'admin@$domain_name' or 'support@$domain_name' - so it may not be hard to guess correctly anyway. I tend to always install postfixadmin behind an Apache password prompt thing anyway - just for additional protection. I understand it's technically a vulnerability, but it's not new - similar vulnerabilities have been encountered before in other web applications - I'd argue that e.g. Facebook's recent bug whereby it's possible to discover if an email address is valid (well - known to facebook as a login) and get someone's full name out of it is more concerning. What would worry me far more would be if we somehow echo'ed out the hashed password in the HTML returned, or had an SQL / XSS injection or arbitrary code execution security hole :) Anyway, thank you for reporting it - Christian has fixed the problem it seems - and release 2.3.2 will be finding it's way onto the internet shortly ... I've packaged up the .deb / .tar.gz and Christian will be pushing them and an .rpm to sourceforge shortly. Please feel free to continue prodding Postfixadmin, and we welcome all feedback and bug reports... and patches even more so! thanks, David. |
