To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: dtc-common: sends password of new users to site admin by unencrypted email
Date: Sun, 20 Feb 2011 23:02:37 +0100
Package: dtc-common
Version: 0.29.17-1
Severity: grave
Tags: upstream security
dtc sends the password of new users to the webmaster:
$mail_content = "
Somebody tried to register an account. Here is the details of
the new user:
login: ".$_REQUEST["reqadm_login"]."
pass: ".$_REQUEST["reqadm_pass"]."
[...]
mail($conf_webmaster_email_addr, "$conf_message_subject_header Somebody tried to register an account", $mail_content, $headers);
(from client/new_account_form.php)
This mail is not encrypted. I also don't see any reason why the
webmaster should even know the password...
Ansgar
Severity set to 'normal' from 'grave'
Request was from Thomas Goirand <thomas@goirand.fr>
to control@bugs.debian.org.
(Mon, 21 Feb 2011 09:21:20 GMT) (full text, mbox, link).
Removed tag(s) security.
Request was from Thomas Goirand <thomas@goirand.fr>
to control@bugs.debian.org.
(Mon, 21 Feb 2011 09:21:20 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Thomas Goirand <zigo@debian.org>: Bug#614302; Package dtc-common.
(Mon, 21 Feb 2011 09:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <thomas@goirand.fr>:
Extra info received and forwarded to list. Copy sent to Thomas Goirand <zigo@debian.org>.
(Mon, 21 Feb 2011 09:27:06 GMT) (full text, mbox, link).
To: Ansgar Burchardt <ansgar@2008.43-1.org>, 614302@bugs.debian.org
Subject: Re: Bug#614302: dtc-common: sends password of new users to site admin
by unencrypted email
Date: Mon, 21 Feb 2011 17:24:10 +0800
On 02/21/2011 06:02 AM, Ansgar Burchardt wrote:
> Package: dtc-common
> Version: 0.29.17-1
> Severity: grave
> Tags: upstream security
>
> dtc sends the password of new users to the webmaster:
>
> $mail_content = "
> Somebody tried to register an account. Here is the details of
> the new user:
>
> login: ".$_REQUEST["reqadm_login"]."
> pass: ".$_REQUEST["reqadm_pass"]."
> [...]
> mail($conf_webmaster_email_addr, "$conf_message_subject_header Somebody tried to register an account", $mail_content, $headers);
>
> (from client/new_account_form.php)
>
> This mail is not encrypted.
Most of the time, the receiving server would be the same server
receiving the email. If that's not the case, then the admin is free to
setup encryption (and maybe auth) between the 2 SMTP servers.
> I also don't see any reason why the
> webmaster should even know the password...
The reason is very simple: anti-fraud. Many times, you see the same
hacker registering with the same password, and it helps detecting it.
Also, you want the admin to see the weakest password to be able to do a
bit of policing.
This deserves a "wishlist" security at most!!!
Thomas
Information forwarded
to debian-bugs-dist@lists.debian.org, Thomas Goirand <zigo@debian.org>: Bug#614302; Package dtc-common.
(Mon, 21 Feb 2011 10:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ansgar Burchardt <ansgar@43-1.org>:
Extra info received and forwarded to list. Copy sent to Thomas Goirand <zigo@debian.org>.
(Mon, 21 Feb 2011 10:33:03 GMT) (full text, mbox, link).
Subject: Re: Bug#614302: dtc-common: sends password of new users to site admin by unencrypted email
Date: Mon, 21 Feb 2011 11:29:43 +0100
Thomas Goirand <thomas@goirand.fr> writes:
>> dtc sends the password of new users to the webmaster:
[...]
>> This mail is not encrypted.
>
> Most of the time, the receiving server would be the same server
> receiving the email. If that's not the case, then the admin is free to
> setup encryption (and maybe auth) between the 2 SMTP servers.
So it's "maybe" secure? And it doesn't help against compromise of the
host where mails are stored.
>> I also don't see any reason why the
>> webmaster should even know the password...
>
> The reason is very simple: anti-fraud. Many times, you see the same
> hacker registering with the same password, and it helps detecting it.
> Also, you want the admin to see the weakest password to be able to do a
> bit of policing.
This really is one of the worst reasons I have ever seen...
Ansgar
Information forwarded
to debian-bugs-dist@lists.debian.org, Thomas Goirand <zigo@debian.org>: Bug#614302; Package dtc-common.
(Mon, 21 Feb 2011 14:45:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <thomas@goirand.fr>:
Extra info received and forwarded to list. Copy sent to Thomas Goirand <zigo@debian.org>.
(Mon, 21 Feb 2011 14:45:09 GMT) (full text, mbox, link).
To: Ansgar Burchardt <ansgar@43-1.org>, 614302@bugs.debian.org
Subject: Re: Bug#614302: dtc-common: sends password of new users to site
admin by unencrypted email
Date: Mon, 21 Feb 2011 22:42:48 +0800
----- Original message -----
> Thomas Goirand <thomas@goirand.fr> writes:
> > > dtc sends the password of new users to the webmaster:
> [...]
> > > This mail is not encrypted.
> >
> > Most of the time, the receiving server would be the same server
> > receiving the email. If that's not the case, then the admin is free to
> > setup encryption (and maybe auth) between the 2 SMTP servers.
>
> So it's "maybe" secure?
No, it's secure by default if the destination email
is in the same computer (or same LAN) which will
most of the time be the case.
> And it doesn't help against compromise of the
> host where mails are stored.
Sure, and it doesn't prevent a nuclear bomb to
explode either... Does that count?
Seriously, do you really think that receiving your
administrator messages on a "compromissed host
where mails are stored" counts as an argument here?
> > The reason is very simple: anti-fraud. Many times, you see the same
> > hacker registering with the same password, and it helps detecting it.
> > Also, you want the admin to see the weakest password to be able to do a
> > bit of policing.
>
> This really is one of the worst reasons I have ever seen...
Yet thanks to seeing twice the same password, I was
able more than once to delete hacked accounts. Also,
I sometimes lock accounts by changing the client
password, and the history on my email makes it
possible for me to restore the old password. Yet,
don't see this as denying the issue... I didn't
close this bug! :)
You've made your points making these 2 bug reports,
thanks. Now if you want to continue helping, only a
patch will.
Thomas
Severity set to 'serious' from 'normal'
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org.
(Mon, 21 Feb 2011 21:57:10 GMT) (full text, mbox, link).
Added tag(s) security.
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org.
(Mon, 21 Feb 2011 21:57:11 GMT) (full text, mbox, link).
Changed Bug title to 'CVE-2011-0436: new users' unencrypted passwords emailed to site admin' from 'dtc-common: sends password of new users to site admin by unencrypted email'
Request was from Raphael Geissert <geissert@debian.org>
to control@bugs.debian.org.
(Tue, 22 Feb 2011 00:57:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Thomas Goirand <zigo@debian.org>: Bug#614302; Package dtc-common.
(Tue, 22 Feb 2011 10:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <thomas@goirand.fr>:
Extra info received and forwarded to list. Copy sent to Thomas Goirand <zigo@debian.org>.
(Tue, 22 Feb 2011 10:06:03 GMT) (full text, mbox, link).
Subject: Bug#614302: fixed in dtc 0.29.17-1+lenny1
Date: Thu, 03 Mar 2011 01:56:09 +0000
Source: dtc
Source-Version: 0.29.17-1+lenny1
We believe that the bug you reported is fixed in the latest version of
dtc, which is due to be installed in the Debian FTP archive:
dtc-common_0.29.17-1+lenny1_all.deb
to main/d/dtc/dtc-common_0.29.17-1+lenny1_all.deb
dtc-core_0.29.17-1+lenny1_all.deb
to main/d/dtc/dtc-core_0.29.17-1+lenny1_all.deb
dtc-cyrus_0.29.17-1+lenny1_all.deb
to main/d/dtc/dtc-cyrus_0.29.17-1+lenny1_all.deb
dtc-postfix-courier_0.29.17-1+lenny1_all.deb
to main/d/dtc/dtc-postfix-courier_0.29.17-1+lenny1_all.deb
dtc-stats-daemon_0.29.17-1+lenny1_all.deb
to main/d/dtc/dtc-stats-daemon_0.29.17-1+lenny1_all.deb
dtc-toaster_0.29.17-1+lenny1_all.deb
to main/d/dtc/dtc-toaster_0.29.17-1+lenny1_all.deb
dtc_0.29.17-1+lenny1.diff.gz
to main/d/dtc/dtc_0.29.17-1+lenny1.diff.gz
dtc_0.29.17-1+lenny1.dsc
to main/d/dtc/dtc_0.29.17-1+lenny1.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 614302@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated dtc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 23 Feb 2011 02:17:33 +0800
Source: dtc
Binary: dtc-common dtc-core dtc-cyrus dtc-postfix-courier dtc-stats-daemon dtc-toaster
Architecture: source all
Version: 0.29.17-1+lenny1
Distribution: lenny-security
Urgency: low
Maintainer: Thomas Goirand <thomas@goirand.fr>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
dtc-common - web control panel for admin and accounting hosting services (comm
dtc-core - web control panel for admin and accounting hosting services (fewe
dtc-cyrus - web control panel for admin and accounting hosting services (cyru
dtc-postfix-courier - web control panel for admin and accounting hosting services (more
dtc-stats-daemon - dtc-xen VM statistics for the dtc web control panel
dtc-toaster - web control panel for admin and accounting hosting services (meta
Closes: 614302
Changes:
dtc (0.29.17-1+lenny1) lenny-security; urgency=low
.
* Fixes: CVE-2011-0434: SQL injection in bw_per_month.php graph
* Fixes: CVE-2011-0435: Bandwidth information disclosure in bw_per_month.php
graph.
* Fixes: CVE-2011-0436: Passwords being emailed to the admin in clear text
(Closes: #614302).
* Fixes: CVE-2011-0437: Removed dangerous SQL old unused code for ssh
accounts management.
Checksums-Sha1:
fa6ae9ca49bcf70f27397cf4b37ace0779f8aff7 1542 dtc_0.29.17-1+lenny1.dsc
a4dea72f0586776160994ad12233fc02c121c3d5 11064929 dtc_0.29.17.orig.tar.gz
4fabd2c27d20548f15bcc48cbf2137ba46c5b450 84014 dtc_0.29.17-1+lenny1.diff.gz
75f9ed1a1bc5de2c0998dec1f32a66ba49319c3f 5012906 dtc-common_0.29.17-1+lenny1_all.deb
b3b22fea0ddc3087647517517d8bd702d6980f4a 69800 dtc-core_0.29.17-1+lenny1_all.deb
05c435c7242ab204839b0df79d8445867a791229 69920 dtc-cyrus_0.29.17-1+lenny1_all.deb
c39d5b5cfd200bcd7c02d7010b721f98450099a4 71442 dtc-postfix-courier_0.29.17-1+lenny1_all.deb
71907f23cb5a69ba600dba6239222218ab2bcf11 30630 dtc-stats-daemon_0.29.17-1+lenny1_all.deb
1e5da94d07d0c5f99ea6cb012ab6ef6f46a9fc7e 25226 dtc-toaster_0.29.17-1+lenny1_all.deb
Checksums-Sha256:
aba0d22b2178aac8e7e1dbb95579b181285b0504470435680caa1f05b2aac30f 1542 dtc_0.29.17-1+lenny1.dsc
8a6f3ca68ee4f15f6deaa98e3ae65986d7fab077fa908d88833196fd80efe1eb 11064929 dtc_0.29.17.orig.tar.gz
b772dde3ff2b522963ca02ad9c51283fc54a0b05ed99150dfc3f6cc203ef00a4 84014 dtc_0.29.17-1+lenny1.diff.gz
4b1f556577b7ac26596296daa9f54ded460225595d7264b2acf5a797ae632179 5012906 dtc-common_0.29.17-1+lenny1_all.deb
5118c8fb6668e676c917291d229b4a255548b1abcc0e07f1a3c2a41a29cd4fd1 69800 dtc-core_0.29.17-1+lenny1_all.deb
31c9b3ca20cea964937c10c7377e57da8e8fd99f584a0b96ecf9f95881027799 69920 dtc-cyrus_0.29.17-1+lenny1_all.deb
a9ac8fa2411196b615c115f0aa6a3a5ee305de42680e80a3800c07737f643ee6 71442 dtc-postfix-courier_0.29.17-1+lenny1_all.deb
c7c753da6a041b1c5c92fc38cdf0cf8501436d221abd046b65ca5c6e51c8dbc8 30630 dtc-stats-daemon_0.29.17-1+lenny1_all.deb
7e68348918111a1c9e91ff4785ebc6e85a2a89ca20238c7cb94284790c0ad2bf 25226 dtc-toaster_0.29.17-1+lenny1_all.deb
Files:
276c9ca22aa2beaa43d8bf5703b57524 1542 admin extra dtc_0.29.17-1+lenny1.dsc
49d9991bdb46bceff8d2ea84896097eb 11064929 admin extra dtc_0.29.17.orig.tar.gz
3cdea33b2c72fbfd541e4447b71dbb67 84014 admin extra dtc_0.29.17-1+lenny1.diff.gz
3d103ffaa55e597ddba8f2374596d842 5012906 admin extra dtc-common_0.29.17-1+lenny1_all.deb
1a6d2ff3f3885d5fccb9e1e35515c1d9 69800 admin extra dtc-core_0.29.17-1+lenny1_all.deb
116cfb38f5fc02c94fc060aea17ed2a6 69920 admin extra dtc-cyrus_0.29.17-1+lenny1_all.deb
b21856fa38e043e82480c479388070b0 71442 admin extra dtc-postfix-courier_0.29.17-1+lenny1_all.deb
e4935159ee798325e601f98b89571474 30630 admin extra dtc-stats-daemon_0.29.17-1+lenny1_all.deb
d3fca954b63dff3b12d9086eb58c6137 25226 admin extra dtc-toaster_0.29.17-1+lenny1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJNbqlxAAoJEL97/wQC1SS+twkH/3kqN9DGBFHQwtk2kpaSrqOv
v5JQU9DQnK20vK593xThbuPIwPhDOQdsvTNEobycT4cxmTEOeuAPGjc9kc2oJyQj
iOgYJSbXIgiaeDivjXW7YSjjbZPw/4QLfCrlu4hO12aUJ8IpUZ1qPoA1qoIWxjXt
Cb2v88k4jq3HGKxjLDP/bgaGg2TFnXyEL3JV5TiHYCZxI+4eZjXWQ6TfzsLcMqXx
ikjWhwssuIZIK0UCLrfQy+XpGPv48fgBv7Dtt9bS6AGRX9h1m3dSEfPa6S5CBB3h
06VC1d81F1uSlp8iVwbV2PMf7uWpSMmLKkop8ZopDSaLwZE5iyMWzLK5tGjknuk=
=8ljl
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 17 Sep 2011 07:30:11 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.