Debian Bug report logs - #614302
CVE-2011-0436: new users' unencrypted passwords emailed to site admin

version graph

Package: dtc-common; Maintainer for dtc-common is Thomas Goirand <zigo@debian.org>; Source for dtc-common is src:dtc.

Reported by: Ansgar Burchardt <ansgar@2008.43-1.org>

Date: Sun, 20 Feb 2011 22:06:01 UTC

Severity: serious

Tags: security, upstream

Found in version dtc/0.29.17-1

Fixed in version dtc/0.29.17-1+lenny1

Done: Thomas Goirand <zigo@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Thomas Goirand <zigo@debian.org>:
Bug#614302; Package dtc-common. (Sun, 20 Feb 2011 22:06:04 GMT) Full text and rfc822 format available.

Message #3 received at submit@bugs.debian.org (full text, mbox):

From: Ansgar Burchardt <ansgar@2008.43-1.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: dtc-common: sends password of new users to site admin by unencrypted email
Date: Sun, 20 Feb 2011 23:02:37 +0100
Package: dtc-common
Version: 0.29.17-1
Severity: grave
Tags: upstream security

dtc sends the password of new users to the webmaster:

  $mail_content = "
  Somebody tried to register an account. Here is the details of
  the new user:

  login: ".$_REQUEST["reqadm_login"]."
  pass: ".$_REQUEST["reqadm_pass"]."
  [...]
  mail($conf_webmaster_email_addr, "$conf_message_subject_header Somebody tried to register an account", $mail_content, $headers);

(from client/new_account_form.php)

This mail is not encrypted.  I also don't see any reason why the
webmaster should even know the password...

Ansgar




Severity set to 'normal' from 'grave' Request was from Thomas Goirand <thomas@goirand.fr> to control@bugs.debian.org. (Mon, 21 Feb 2011 09:21:20 GMT) Full text and rfc822 format available.

Removed tag(s) security. Request was from Thomas Goirand <thomas@goirand.fr> to control@bugs.debian.org. (Mon, 21 Feb 2011 09:21:20 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Goirand <zigo@debian.org>:
Bug#614302; Package dtc-common. (Mon, 21 Feb 2011 09:27:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thomas Goirand <thomas@goirand.fr>:
Extra info received and forwarded to list. Copy sent to Thomas Goirand <zigo@debian.org>. (Mon, 21 Feb 2011 09:27:06 GMT) Full text and rfc822 format available.

Message #12 received at 614302@bugs.debian.org (full text, mbox):

From: Thomas Goirand <thomas@goirand.fr>
To: Ansgar Burchardt <ansgar@2008.43-1.org>, 614302@bugs.debian.org
Subject: Re: Bug#614302: dtc-common: sends password of new users to site admin by unencrypted email
Date: Mon, 21 Feb 2011 17:24:10 +0800
On 02/21/2011 06:02 AM, Ansgar Burchardt wrote:
> Package: dtc-common
> Version: 0.29.17-1
> Severity: grave
> Tags: upstream security
> 
> dtc sends the password of new users to the webmaster:
> 
>   $mail_content = "
>   Somebody tried to register an account. Here is the details of
>   the new user:
> 
>   login: ".$_REQUEST["reqadm_login"]."
>   pass: ".$_REQUEST["reqadm_pass"]."
>   [...]
>   mail($conf_webmaster_email_addr, "$conf_message_subject_header Somebody tried to register an account", $mail_content, $headers);
> 
> (from client/new_account_form.php)
> 
> This mail is not encrypted.

Most of the time, the receiving server would be the same server
receiving the email. If that's not the case, then the admin is free to
setup encryption (and maybe auth) between the 2 SMTP servers.

> I also don't see any reason why the
> webmaster should even know the password...

The reason is very simple: anti-fraud. Many times, you see the same
hacker registering with the same password, and it helps detecting it.
Also, you want the admin to see the weakest password to be able to do a
bit of policing.

This deserves a "wishlist" security at most!!!

Thomas




Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Goirand <zigo@debian.org>:
Bug#614302; Package dtc-common. (Mon, 21 Feb 2011 10:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ansgar Burchardt <ansgar@43-1.org>:
Extra info received and forwarded to list. Copy sent to Thomas Goirand <zigo@debian.org>. (Mon, 21 Feb 2011 10:33:03 GMT) Full text and rfc822 format available.

Message #17 received at 614302@bugs.debian.org (full text, mbox):

From: Ansgar Burchardt <ansgar@43-1.org>
To: 614302@bugs.debian.org
Subject: Re: Bug#614302: dtc-common: sends password of new users to site admin by unencrypted email
Date: Mon, 21 Feb 2011 11:29:43 +0100
Thomas Goirand <thomas@goirand.fr> writes:
>> dtc sends the password of new users to the webmaster:
[...]
>> This mail is not encrypted.
>
> Most of the time, the receiving server would be the same server
> receiving the email. If that's not the case, then the admin is free to
> setup encryption (and maybe auth) between the 2 SMTP servers.

So it's "maybe" secure?  And it doesn't help against compromise of the
host where mails are stored.

>> I also don't see any reason why the
>> webmaster should even know the password...
>
> The reason is very simple: anti-fraud. Many times, you see the same
> hacker registering with the same password, and it helps detecting it.
> Also, you want the admin to see the weakest password to be able to do a
> bit of policing.

This really is one of the worst reasons I have ever seen...

Ansgar




Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Goirand <zigo@debian.org>:
Bug#614302; Package dtc-common. (Mon, 21 Feb 2011 14:45:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thomas Goirand <thomas@goirand.fr>:
Extra info received and forwarded to list. Copy sent to Thomas Goirand <zigo@debian.org>. (Mon, 21 Feb 2011 14:45:09 GMT) Full text and rfc822 format available.

Message #22 received at 614302@bugs.debian.org (full text, mbox):

From: Thomas Goirand <thomas@goirand.fr>
To: Ansgar Burchardt <ansgar@43-1.org>, 614302@bugs.debian.org
Subject: Re: Bug#614302: dtc-common: sends password of new users to site admin by unencrypted email
Date: Mon, 21 Feb 2011 22:42:48 +0800
----- Original message -----
> Thomas Goirand <thomas@goirand.fr> writes:
> > > dtc sends the password of new users to the webmaster:
> [...]
> > > This mail is not encrypted.
> > 
> > Most of the time, the receiving server would be the same server
> > receiving the email. If that's not the case, then the admin is free to
> > setup encryption (and maybe auth) between the 2 SMTP servers.
> 
> So it's "maybe" secure?

No, it's secure by default if the destination email
is in the same computer (or same LAN) which will
most of the time be the case.

> And it doesn't help against compromise of the
> host where mails are stored.

Sure, and it doesn't prevent a nuclear bomb to
explode either... Does that count?

Seriously, do you really think that receiving your
administrator messages on a "compromissed host
where mails are stored" counts as an argument here?

> > The reason is very simple: anti-fraud. Many times, you see the same
> > hacker registering with the same password, and it helps detecting it.
> > Also, you want the admin to see the weakest password to be able to do a
> > bit of policing.
> 
> This really is one of the worst reasons I have ever seen...

Yet thanks to seeing twice the same password, I was
able more than once to delete hacked accounts. Also,
I sometimes lock accounts by changing the client
password, and the history on my email makes it
possible for me to restore the old password. Yet,
don't see this as denying the issue... I didn't
close this bug! :)

You've made your points making these 2 bug reports,
thanks. Now if you want to continue helping, only a
patch will.

Thomas





Severity set to 'serious' from 'normal' Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Mon, 21 Feb 2011 21:57:10 GMT) Full text and rfc822 format available.

Added tag(s) security. Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Mon, 21 Feb 2011 21:57:11 GMT) Full text and rfc822 format available.

Changed Bug title to 'CVE-2011-0436: new users' unencrypted passwords emailed to site admin' from 'dtc-common: sends password of new users to site admin by unencrypted email' Request was from Raphael Geissert <geissert@debian.org> to control@bugs.debian.org. (Tue, 22 Feb 2011 00:57:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Goirand <zigo@debian.org>:
Bug#614302; Package dtc-common. (Tue, 22 Feb 2011 10:06:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thomas Goirand <thomas@goirand.fr>:
Extra info received and forwarded to list. Copy sent to Thomas Goirand <zigo@debian.org>. (Tue, 22 Feb 2011 10:06:03 GMT) Full text and rfc822 format available.

Message #33 received at 614302@bugs.debian.org (full text, mbox):

From: Thomas Goirand <thomas@goirand.fr>
To: 614302@bugs.debian.org
Subject: Patch for the issue
Date: Tue, 22 Feb 2011 18:03:12 +0800
[Message part 1 (text/plain, inline)]
Hi,

Here's a patch for not sending passwords (with an option to keep the old
behavior if you want to).

Thomas
[0002-Fixes-CVE-2011-0436-password-being-mailed-in-clear-t.patch (text/x-diff, attachment)]

Reply sent to Thomas Goirand <zigo@debian.org>:
You have taken responsibility. (Thu, 03 Mar 2011 01:57:06 GMT) Full text and rfc822 format available.

Notification sent to Ansgar Burchardt <ansgar@2008.43-1.org>:
Bug acknowledged by developer. (Thu, 03 Mar 2011 01:57:06 GMT) Full text and rfc822 format available.

Message #38 received at 614302-close@bugs.debian.org (full text, mbox):

From: Thomas Goirand <zigo@debian.org>
To: 614302-close@bugs.debian.org
Subject: Bug#614302: fixed in dtc 0.29.17-1+lenny1
Date: Thu, 03 Mar 2011 01:56:09 +0000
Source: dtc
Source-Version: 0.29.17-1+lenny1

We believe that the bug you reported is fixed in the latest version of
dtc, which is due to be installed in the Debian FTP archive:

dtc-common_0.29.17-1+lenny1_all.deb
  to main/d/dtc/dtc-common_0.29.17-1+lenny1_all.deb
dtc-core_0.29.17-1+lenny1_all.deb
  to main/d/dtc/dtc-core_0.29.17-1+lenny1_all.deb
dtc-cyrus_0.29.17-1+lenny1_all.deb
  to main/d/dtc/dtc-cyrus_0.29.17-1+lenny1_all.deb
dtc-postfix-courier_0.29.17-1+lenny1_all.deb
  to main/d/dtc/dtc-postfix-courier_0.29.17-1+lenny1_all.deb
dtc-stats-daemon_0.29.17-1+lenny1_all.deb
  to main/d/dtc/dtc-stats-daemon_0.29.17-1+lenny1_all.deb
dtc-toaster_0.29.17-1+lenny1_all.deb
  to main/d/dtc/dtc-toaster_0.29.17-1+lenny1_all.deb
dtc_0.29.17-1+lenny1.diff.gz
  to main/d/dtc/dtc_0.29.17-1+lenny1.diff.gz
dtc_0.29.17-1+lenny1.dsc
  to main/d/dtc/dtc_0.29.17-1+lenny1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 614302@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated dtc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 23 Feb 2011 02:17:33 +0800
Source: dtc
Binary: dtc-common dtc-core dtc-cyrus dtc-postfix-courier dtc-stats-daemon dtc-toaster
Architecture: source all
Version: 0.29.17-1+lenny1
Distribution: lenny-security
Urgency: low
Maintainer: Thomas Goirand <thomas@goirand.fr>
Changed-By: Thomas Goirand <zigo@debian.org>
Description: 
 dtc-common - web control panel for admin and accounting hosting services (comm
 dtc-core   - web control panel for admin and accounting hosting services (fewe
 dtc-cyrus  - web control panel for admin and accounting hosting services (cyru
 dtc-postfix-courier - web control panel for admin and accounting hosting services (more
 dtc-stats-daemon - dtc-xen VM statistics for the dtc web control panel
 dtc-toaster - web control panel for admin and accounting hosting services (meta
Closes: 614302
Changes: 
 dtc (0.29.17-1+lenny1) lenny-security; urgency=low
 .
   * Fixes: CVE-2011-0434: SQL injection in bw_per_month.php graph
   * Fixes: CVE-2011-0435: Bandwidth information disclosure in bw_per_month.php
     graph.
   * Fixes: CVE-2011-0436: Passwords being emailed to the admin in clear text
     (Closes: #614302).
   * Fixes: CVE-2011-0437: Removed dangerous SQL old unused code for ssh
     accounts management.
Checksums-Sha1: 
 fa6ae9ca49bcf70f27397cf4b37ace0779f8aff7 1542 dtc_0.29.17-1+lenny1.dsc
 a4dea72f0586776160994ad12233fc02c121c3d5 11064929 dtc_0.29.17.orig.tar.gz
 4fabd2c27d20548f15bcc48cbf2137ba46c5b450 84014 dtc_0.29.17-1+lenny1.diff.gz
 75f9ed1a1bc5de2c0998dec1f32a66ba49319c3f 5012906 dtc-common_0.29.17-1+lenny1_all.deb
 b3b22fea0ddc3087647517517d8bd702d6980f4a 69800 dtc-core_0.29.17-1+lenny1_all.deb
 05c435c7242ab204839b0df79d8445867a791229 69920 dtc-cyrus_0.29.17-1+lenny1_all.deb
 c39d5b5cfd200bcd7c02d7010b721f98450099a4 71442 dtc-postfix-courier_0.29.17-1+lenny1_all.deb
 71907f23cb5a69ba600dba6239222218ab2bcf11 30630 dtc-stats-daemon_0.29.17-1+lenny1_all.deb
 1e5da94d07d0c5f99ea6cb012ab6ef6f46a9fc7e 25226 dtc-toaster_0.29.17-1+lenny1_all.deb
Checksums-Sha256: 
 aba0d22b2178aac8e7e1dbb95579b181285b0504470435680caa1f05b2aac30f 1542 dtc_0.29.17-1+lenny1.dsc
 8a6f3ca68ee4f15f6deaa98e3ae65986d7fab077fa908d88833196fd80efe1eb 11064929 dtc_0.29.17.orig.tar.gz
 b772dde3ff2b522963ca02ad9c51283fc54a0b05ed99150dfc3f6cc203ef00a4 84014 dtc_0.29.17-1+lenny1.diff.gz
 4b1f556577b7ac26596296daa9f54ded460225595d7264b2acf5a797ae632179 5012906 dtc-common_0.29.17-1+lenny1_all.deb
 5118c8fb6668e676c917291d229b4a255548b1abcc0e07f1a3c2a41a29cd4fd1 69800 dtc-core_0.29.17-1+lenny1_all.deb
 31c9b3ca20cea964937c10c7377e57da8e8fd99f584a0b96ecf9f95881027799 69920 dtc-cyrus_0.29.17-1+lenny1_all.deb
 a9ac8fa2411196b615c115f0aa6a3a5ee305de42680e80a3800c07737f643ee6 71442 dtc-postfix-courier_0.29.17-1+lenny1_all.deb
 c7c753da6a041b1c5c92fc38cdf0cf8501436d221abd046b65ca5c6e51c8dbc8 30630 dtc-stats-daemon_0.29.17-1+lenny1_all.deb
 7e68348918111a1c9e91ff4785ebc6e85a2a89ca20238c7cb94284790c0ad2bf 25226 dtc-toaster_0.29.17-1+lenny1_all.deb
Files: 
 276c9ca22aa2beaa43d8bf5703b57524 1542 admin extra dtc_0.29.17-1+lenny1.dsc
 49d9991bdb46bceff8d2ea84896097eb 11064929 admin extra dtc_0.29.17.orig.tar.gz
 3cdea33b2c72fbfd541e4447b71dbb67 84014 admin extra dtc_0.29.17-1+lenny1.diff.gz
 3d103ffaa55e597ddba8f2374596d842 5012906 admin extra dtc-common_0.29.17-1+lenny1_all.deb
 1a6d2ff3f3885d5fccb9e1e35515c1d9 69800 admin extra dtc-core_0.29.17-1+lenny1_all.deb
 116cfb38f5fc02c94fc060aea17ed2a6 69920 admin extra dtc-cyrus_0.29.17-1+lenny1_all.deb
 b21856fa38e043e82480c479388070b0 71442 admin extra dtc-postfix-courier_0.29.17-1+lenny1_all.deb
 e4935159ee798325e601f98b89571474 30630 admin extra dtc-stats-daemon_0.29.17-1+lenny1_all.deb
 d3fca954b63dff3b12d9086eb58c6137 25226 admin extra dtc-toaster_0.29.17-1+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJNbqlxAAoJEL97/wQC1SS+twkH/3kqN9DGBFHQwtk2kpaSrqOv
v5JQU9DQnK20vK593xThbuPIwPhDOQdsvTNEobycT4cxmTEOeuAPGjc9kc2oJyQj
iOgYJSbXIgiaeDivjXW7YSjjbZPw/4QLfCrlu4hO12aUJ8IpUZ1qPoA1qoIWxjXt
Cb2v88k4jq3HGKxjLDP/bgaGg2TFnXyEL3JV5TiHYCZxI+4eZjXWQ6TfzsLcMqXx
ikjWhwssuIZIK0UCLrfQy+XpGPv48fgBv7Dtt9bS6AGRX9h1m3dSEfPa6S5CBB3h
06VC1d81F1uSlp8iVwbV2PMf7uWpSMmLKkop8ZopDSaLwZE5iyMWzLK5tGjknuk=
=8ljl
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 17 Sep 2011 07:30:11 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 11:28:30 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.