>
> On Aug 22, 2010, at 2:37 PM, Christian Boltz wrote:
> > Hallo Herr Schinzel,
> >
> > (@David: please use google translate de -> en ;-)
> >
>
>
> Sorry for writing in German. Christian's name is clearly german
> and it did not come to me that non-germans could be involved.
>
Don't worry; I have a Spanish friend who keeps me using
http://translate.google.com :-) it's no great problem. Anyway, Christian
is more active than I in the project at the moment, so you did at least
choose correctly :)
(As a side note, Christian is a common English name, yet there do indeed
appear to be a lack of Boltz's in the telephone book - e.g.
http://www.thephonebook.bt.com/publisha.content/en/search/residential/search.publisha?Surname=boltz&x=0&y=0&Location=LONDON&OriginalLocation=london&Range=xloc )
Christian - why don't your family emigrate and spread around the world a
bit more? :-) )
Anyway, back on track :
My only input is that a similar bug existed before - namely if you had
an incorrect password postfixadmin displayed a slightly different
message (e.g. invalid password) rather than the more secure "Invalid
username and/or password". I think this was on the user login page. We
did fix this, but it can be argued to be useful to tell the end user
that their username is correct but password isn't.
Ignorance would make me think that most admin's are going to be in the
system as 'admin@$domain_name' or 'support@$domain_name' - so it may not
be hard to guess correctly anyway. I tend to always install postfixadmin
behind an Apache password prompt thing anyway - just for additional
protection.
I understand it's technically a vulnerability, but it's not new -
similar vulnerabilities have been encountered before in other web
applications - I'd argue that e.g. Facebook's recent bug whereby it's
possible to discover if an email address is valid (well - known to
facebook as a login) and get someone's full name out of it is more
concerning.
What would worry me far more would be if we somehow echo'ed out the
hashed password in the HTML returned, or had an SQL / XSS injection or
arbitrary code execution security hole :)
Anyway, thank you for reporting it - Christian has fixed the problem it
seems - and release 2.3.2 will be finding it's way onto the internet
shortly ... I've packaged up the .deb / .tar.gz and Christian will be
pushing them and an .rpm to sourceforge shortly.
Please feel free to continue prodding Postfixadmin, and we welcome all
feedback and bug reports... and patches even more so!
thanks,
David.
|
