Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#962629: rainloop: Rainloop stores passwords in cleartext in logfile
32 views
Skip to first unread message
Marco Herrn
Jun 10, 2020, 6:00:03 PM6/10/20
to
Package: rainloop
Version: 1.12.1-2
Severity: important
Dear Maintainer,
When writing into a logfile, rainloop writes the passwords of all login
attempts (successful or not) into the logfile in cleartext.
Rainloop provides an option 'hide_passwords' in the application.ini that
should prohibit that behaviour, which is by default set to 'On'. But
apparently this doesn't have any effect.
There is already an unresolved github issue about that topic:
https://github.com/RainLoop/rainloop-webmail/issues/1872
Even though this issue doesn't affect the actual usability of rainloop,
I set the severity to 'Important' as this is a security issue.
-- System Information:
Debian Release: 10.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages rainloop depends on:
ii apache2 [httpd] 2.4.38-3+deb10u3
ii ckeditor 4.11.1+dfsg-1
ii php-curl 2:7.3+69
ii php-fpm 2:7.3+69
ii php-nrk-predis 1.0.0-1
ii php-pclzip 2.8.2-4
ii php-seclib 1.0.14-1
ii php-xml 2:7.3+69
ii php7.3-curl [php-curl] 7.3.14-1~deb10u1
ii php7.3-fpm [php-fpm] 7.3.14-1~deb10u1
ii php7.3-json [php-json] 7.3.14-1~deb10u1
ii php7.3-xml [php-xml] 7.3.14-1~deb10u1
rainloop recommends no packages.
Versions of packages rainloop suggests:
pn php5-sqlite | php5-mysql | php5-pgsql <none>
-- Configuration Files:
/etc/rainloop/application.ini changed [not included]
/etc/rainloop/rainloop.apache.conf changed [not included]
-- no debconf information
Version: 1.12.1-2
Severity: important
Dear Maintainer,
When writing into a logfile, rainloop writes the passwords of all login
attempts (successful or not) into the logfile in cleartext.
Rainloop provides an option 'hide_passwords' in the application.ini that
should prohibit that behaviour, which is by default set to 'On'. But
apparently this doesn't have any effect.
There is already an unresolved github issue about that topic:
https://github.com/RainLoop/rainloop-webmail/issues/1872
Even though this issue doesn't affect the actual usability of rainloop,
I set the severity to 'Important' as this is a security issue.
-- System Information:
Debian Release: 10.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages rainloop depends on:
ii apache2 [httpd] 2.4.38-3+deb10u3
ii ckeditor 4.11.1+dfsg-1
ii php-curl 2:7.3+69
ii php-fpm 2:7.3+69
ii php-nrk-predis 1.0.0-1
ii php-pclzip 2.8.2-4
ii php-seclib 1.0.14-1
ii php-xml 2:7.3+69
ii php7.3-curl [php-curl] 7.3.14-1~deb10u1
ii php7.3-fpm [php-fpm] 7.3.14-1~deb10u1
ii php7.3-json [php-json] 7.3.14-1~deb10u1
ii php7.3-xml [php-xml] 7.3.14-1~deb10u1
rainloop recommends no packages.
Versions of packages rainloop suggests:
pn php5-sqlite | php5-mysql | php5-pgsql <none>
-- Configuration Files:
/etc/rainloop/application.ini changed [not included]
/etc/rainloop/rainloop.apache.conf changed [not included]
-- no debconf information
Guilhem Moulin
May 27, 2023, 5:30:05 PM5/27/23
to
Control: tag -1 unreproducible
On Wed, 10 Jun 2020 at 23:19:41 +0200, Marco Herrn wrote:
> When writing into a logfile, rainloop writes the passwords of all
> login attempts (successful or not) into the logfile in cleartext.
FWIW I'm not able to reproduce this with the version from Debian buster
(1.12.1-2). Stock config, just replaced ‘enable = Off’ with ‘enable = On’
in /etc/rainloop/application.ini's ‘[logs]’ section. (‘hide_passwords’
remains set as per default.) I see my username in the log, but the
passphrase is replaced with (a fixed number of) asterisks in both in
succesful and failed sessions:
INFO[DATA]: [DATE:27.05.23][OFFSET:-00][RL:1.12.1][PHP:7.3.31-1~deb10u3][IP:127.0.0.1][PID:976085][nginx/1.14.2][fpm-fcgi]
INFO[DATA]: [Suhosin:off][APC:off][MB:off][PDO:~][Streams:tcp,udp,unix,udg,ssl,tls,tlsv1.0,tlsv1.1,tlsv1.2]
REQUEST[NOTE]: [POST] http://127.0.0.1/?/Ajax/&q[]=/0/
AJAX[NOTE]: Action: DoLogin
POST[DATA]: {"Email":"gui...@example.net","Login":"","Password":"*******","Language":"","AdditionalCode":"","AdditionalCodeSignMe":"0","SignMe":"0","Action":"Login","XToken":"[…]"}
IMAP[NOTE]: Start connection to "ssl://imap.example.net:993"
IMAP[NOTE]: Connected (success)
IMAP[DATA]: < * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] howdy, ready.\r\n
IMAP[DATA]: > TAG1 AUTHENTICATE PLAIN\r\n
IMAP[DATA]: < + \r\n
IMAP[SECURE]: > *******\r\n
IMAP[DATA]: < TAG1 NO [AUTHENTICATIONFAILED] Authentication failed.\r\n
IMAP[WARNING]: MailSo\Imap\Exceptions\NegativeResponseException: MailSo-Imap-Exceptions-NegativeResponseException (ImapClient.php ~ 1874) in /usr/share/rainloop/app/libraries/MailSo/Imap/ImapClient.php:1874
Stack trace:
#0 /usr/share/rainloop/app/libraries/MailSo/Imap/ImapClient.php(1951): MailSo\Imap\ImapClient->validateResponse(Array)
#1 /usr/share/rainloop/app/libraries/MailSo/Imap/ImapClient.php(281): MailSo\Imap\ImapClient->parseResponseWithValidation()
#2 /usr/share/rainloop/app/libraries/MailSo/Mail/MailClient.php(92): MailSo\Imap\ImapClient->Login('guilhem@example....', '*******', '', true, false)
#3 /usr/share/rainloop/app/libraries/RainLoop/Model/Account.php(451): MailSo\Mail\MailClient->Login('guilhem@example....', '*******', '', true, false)
#4 /usr/share/rainloop/app/libraries/RainLoop/Actions.php(2078): RainLoop\Model\Account->IncConnectAndLoginHelper(Object(RainLoop\Plugins\Manager), Object(MailSo\Mail\MailClient), Object(RainLoop\Config\Application))
#5 /usr/share/rainloop/app/libraries/RainLoop/Actions.php(2329): RainLoop\Actions->CheckMailConnection(Object(RainLoop\Model\Account), true)
#6 /usr/share/rainloop/app/libraries/RainLoop/Actions.php(2381): RainLoop\Actions->LoginProcess('guilhem@example....', '*******', '', '', false)
#7 /usr/share/rainloop/app/libraries/RainLoop/ServiceActions.php(172): RainLoop\Actions->DoLogin()
#8 /usr/share/rainloop/app/libraries/RainLoop/Service.php(146): RainLoop\ServiceActions->ServiceAjax('')
#9 /usr/share/rainloop/app/libraries/RainLoop/Service.php(56): RainLoop\Service->localHandle()
#10 /usr/share/rainloop/app/libraries/RainLoop/Service.php(79): RainLoop\Service->__construct()
#11 /usr/share/rainloop/app/handle.php(94): RainLoop\Service::Handle()
#12 /usr/share/rainloop/include.php(228): include('/usr/share/rain...')
#13 /usr/share/rainloop/index.php(13): include('/usr/share/rain...')
#14 {main}
IMAP[NOTICE]: MailSo\Imap\Exceptions\NegativeResponseException: MailSo-Imap-Exceptions-NegativeResponseException (ImapClient.php ~ 1874) in /usr/share/rainloop/app/libraries/MailSo/Imap/ImapClient.php:1874
Stack trace:
#0 /usr/share/rainloop/app/libraries/MailSo/Imap/ImapClient.php(1951): MailSo\Imap\ImapClient->validateResponse(Array)
#1 /usr/share/rainloop/app/libraries/MailSo/Imap/ImapClient.php(281): MailSo\Imap\ImapClient->parseResponseWithValidation()
#2 /usr/share/rainloop/app/libraries/MailSo/Mail/MailClient.php(92): MailSo\Imap\ImapClient->Login('guilhem@example....', '*******', '', true, false)
#3 /usr/share/rainloop/app/libraries/RainLoop/Model/Account.php(451): MailSo\Mail\MailClient->Login('guilhem@example....', '*******', '', true, false)
#4 /usr/share/rainloop/app/libraries/RainLoop/Actions.php(2078): RainLoop\Model\Account->IncConnectAndLoginHelper(Object(RainLoop\Plugins\Manager), Object(MailSo\Mail\MailClient), Object(RainLoop\Config\Application))
#5 /usr/share/rainloop/app/libraries/RainLoop/Actions.php(2329): RainLoop\Actions->CheckMailConnection(Object(RainLoop\Model\Account), true)
#6 /usr/share/rainloop/app/libraries/RainLoop/Actions.php(2381): RainLoop\Actions->LoginProcess('guilhem@example....', '*******', '', '', false)
#7 /usr/share/rainloop/app/libraries/RainLoop/ServiceActions.php(172): RainLoop\Actions->DoLogin()
#8 /usr/share/rainloop/app/libraries/RainLoop/Service.php(146): RainLoop\ServiceActions->ServiceAjax('')
#9 /usr/share/rainloop/app/libraries/RainLoop/Service.php(56): RainLoop\Service->localHandle()
#10 /usr/share/rainloop/app/libraries/RainLoop/Service.php(79): RainLoop\Service->__construct()
#11 /usr/share/rainloop/app/handle.php(94): RainLoop\Service::Handle()
#12 /usr/share/rainloop/include.php(228): include('/usr/share/rain...')
#13 /usr/share/rainloop/index.php(13): include('/usr/share/rain...')
#14 {main}
INFO[DATA]: [DATE:27.05.23][OFFSET:-00][RL:1.12.1][PHP:7.3.31-1~deb10u3][IP:127.0.0.1][PID:976084][nginx/1.14.2][fpm-fcgi]
INFO[DATA]: [Suhosin:off][APC:off][MB:off][PDO:~][Streams:tcp,udp,unix,udg,ssl,tls,tlsv1.0,tlsv1.1,tlsv1.2]
REQUEST[NOTE]: [POST] http://127.0.0.1/?/Ajax/&q[]=/0/
AJAX[NOTE]: Action: DoLogin
POST[DATA]: {"Email":"gui...@example.net","Login":"","Password":"*******","Language":"","AdditionalCode":"","AdditionalCodeSignMe":"0","SignMe":"0","Action":"Login","XToken":"[…]"}
IMAP[NOTE]: Start connection to "ssl://imap.example.net:993"
IMAP[NOTE]: Connected (success)
IMAP[DATA]: < * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] howdy, ready.\r\n
IMAP[DATA]: > TAG1 AUTHENTICATE PLAIN\r\n
IMAP[DATA]: < + \r\n
IMAP[SECURE]: > *******\r\n
IMAP[DATA]: < TAG1 OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY STATUS=SIZE SAVEDATE LITERAL+ NOTIFY SPECIAL-USE COMPRESS=DEFLATE QUOTA] Logged in\r\n
AJAX[DATA]: {"Action":"Login","Result":true,"Time":2119}
IMAP[DATA]: > TAG2 LOGOUT\r\n
IMAP[DATA]: < * BYE Logging out\r\n
IMAP[DATA]: < TAG2 OK Logout completed (0.001 + 0.000 secs).\r\n
IMAP[NOTE]: Disconnected from "ssl://imap.example.net:993" (success)
INFO[MEMORY]: Memory peak usage: 2MB
INFO[TIME]: Time delta: 2.3106529712677
--
Guilhem.
On Wed, 10 Jun 2020 at 23:19:41 +0200, Marco Herrn wrote:
> When writing into a logfile, rainloop writes the passwords of all
> login attempts (successful or not) into the logfile in cleartext.
(1.12.1-2). Stock config, just replaced ‘enable = Off’ with ‘enable = On’
in /etc/rainloop/application.ini's ‘[logs]’ section. (‘hide_passwords’
remains set as per default.) I see my username in the log, but the
passphrase is replaced with (a fixed number of) asterisks in both in
succesful and failed sessions:
INFO[DATA]: [DATE:27.05.23][OFFSET:-00][RL:1.12.1][PHP:7.3.31-1~deb10u3][IP:127.0.0.1][PID:976085][nginx/1.14.2][fpm-fcgi]
INFO[DATA]: [Suhosin:off][APC:off][MB:off][PDO:~][Streams:tcp,udp,unix,udg,ssl,tls,tlsv1.0,tlsv1.1,tlsv1.2]
REQUEST[NOTE]: [POST] http://127.0.0.1/?/Ajax/&q[]=/0/
AJAX[NOTE]: Action: DoLogin
POST[DATA]: {"Email":"gui...@example.net","Login":"","Password":"*******","Language":"","AdditionalCode":"","AdditionalCodeSignMe":"0","SignMe":"0","Action":"Login","XToken":"[…]"}
IMAP[NOTE]: Start connection to "ssl://imap.example.net:993"
IMAP[NOTE]: Connected (success)
IMAP[DATA]: < * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] howdy, ready.\r\n
IMAP[DATA]: > TAG1 AUTHENTICATE PLAIN\r\n
IMAP[DATA]: < + \r\n
IMAP[SECURE]: > *******\r\n
IMAP[DATA]: < TAG1 NO [AUTHENTICATIONFAILED] Authentication failed.\r\n
IMAP[WARNING]: MailSo\Imap\Exceptions\NegativeResponseException: MailSo-Imap-Exceptions-NegativeResponseException (ImapClient.php ~ 1874) in /usr/share/rainloop/app/libraries/MailSo/Imap/ImapClient.php:1874
Stack trace:
#0 /usr/share/rainloop/app/libraries/MailSo/Imap/ImapClient.php(1951): MailSo\Imap\ImapClient->validateResponse(Array)
#1 /usr/share/rainloop/app/libraries/MailSo/Imap/ImapClient.php(281): MailSo\Imap\ImapClient->parseResponseWithValidation()
#2 /usr/share/rainloop/app/libraries/MailSo/Mail/MailClient.php(92): MailSo\Imap\ImapClient->Login('guilhem@example....', '*******', '', true, false)
#3 /usr/share/rainloop/app/libraries/RainLoop/Model/Account.php(451): MailSo\Mail\MailClient->Login('guilhem@example....', '*******', '', true, false)
#4 /usr/share/rainloop/app/libraries/RainLoop/Actions.php(2078): RainLoop\Model\Account->IncConnectAndLoginHelper(Object(RainLoop\Plugins\Manager), Object(MailSo\Mail\MailClient), Object(RainLoop\Config\Application))
#5 /usr/share/rainloop/app/libraries/RainLoop/Actions.php(2329): RainLoop\Actions->CheckMailConnection(Object(RainLoop\Model\Account), true)
#6 /usr/share/rainloop/app/libraries/RainLoop/Actions.php(2381): RainLoop\Actions->LoginProcess('guilhem@example....', '*******', '', '', false)
#7 /usr/share/rainloop/app/libraries/RainLoop/ServiceActions.php(172): RainLoop\Actions->DoLogin()
#8 /usr/share/rainloop/app/libraries/RainLoop/Service.php(146): RainLoop\ServiceActions->ServiceAjax('')
#9 /usr/share/rainloop/app/libraries/RainLoop/Service.php(56): RainLoop\Service->localHandle()
#10 /usr/share/rainloop/app/libraries/RainLoop/Service.php(79): RainLoop\Service->__construct()
#11 /usr/share/rainloop/app/handle.php(94): RainLoop\Service::Handle()
#12 /usr/share/rainloop/include.php(228): include('/usr/share/rain...')
#13 /usr/share/rainloop/index.php(13): include('/usr/share/rain...')
#14 {main}
IMAP[NOTICE]: MailSo\Imap\Exceptions\NegativeResponseException: MailSo-Imap-Exceptions-NegativeResponseException (ImapClient.php ~ 1874) in /usr/share/rainloop/app/libraries/MailSo/Imap/ImapClient.php:1874
Stack trace:
#0 /usr/share/rainloop/app/libraries/MailSo/Imap/ImapClient.php(1951): MailSo\Imap\ImapClient->validateResponse(Array)
#1 /usr/share/rainloop/app/libraries/MailSo/Imap/ImapClient.php(281): MailSo\Imap\ImapClient->parseResponseWithValidation()
#2 /usr/share/rainloop/app/libraries/MailSo/Mail/MailClient.php(92): MailSo\Imap\ImapClient->Login('guilhem@example....', '*******', '', true, false)
#3 /usr/share/rainloop/app/libraries/RainLoop/Model/Account.php(451): MailSo\Mail\MailClient->Login('guilhem@example....', '*******', '', true, false)
#4 /usr/share/rainloop/app/libraries/RainLoop/Actions.php(2078): RainLoop\Model\Account->IncConnectAndLoginHelper(Object(RainLoop\Plugins\Manager), Object(MailSo\Mail\MailClient), Object(RainLoop\Config\Application))
#5 /usr/share/rainloop/app/libraries/RainLoop/Actions.php(2329): RainLoop\Actions->CheckMailConnection(Object(RainLoop\Model\Account), true)
#6 /usr/share/rainloop/app/libraries/RainLoop/Actions.php(2381): RainLoop\Actions->LoginProcess('guilhem@example....', '*******', '', '', false)
#7 /usr/share/rainloop/app/libraries/RainLoop/ServiceActions.php(172): RainLoop\Actions->DoLogin()
#8 /usr/share/rainloop/app/libraries/RainLoop/Service.php(146): RainLoop\ServiceActions->ServiceAjax('')
#9 /usr/share/rainloop/app/libraries/RainLoop/Service.php(56): RainLoop\Service->localHandle()
#10 /usr/share/rainloop/app/libraries/RainLoop/Service.php(79): RainLoop\Service->__construct()
#11 /usr/share/rainloop/app/handle.php(94): RainLoop\Service::Handle()
#12 /usr/share/rainloop/include.php(228): include('/usr/share/rain...')
#13 /usr/share/rainloop/index.php(13): include('/usr/share/rain...')
#14 {main}
INFO[DATA]: [DATE:27.05.23][OFFSET:-00][RL:1.12.1][PHP:7.3.31-1~deb10u3][IP:127.0.0.1][PID:976084][nginx/1.14.2][fpm-fcgi]
INFO[DATA]: [Suhosin:off][APC:off][MB:off][PDO:~][Streams:tcp,udp,unix,udg,ssl,tls,tlsv1.0,tlsv1.1,tlsv1.2]
REQUEST[NOTE]: [POST] http://127.0.0.1/?/Ajax/&q[]=/0/
AJAX[NOTE]: Action: DoLogin
POST[DATA]: {"Email":"gui...@example.net","Login":"","Password":"*******","Language":"","AdditionalCode":"","AdditionalCodeSignMe":"0","SignMe":"0","Action":"Login","XToken":"[…]"}
IMAP[NOTE]: Start connection to "ssl://imap.example.net:993"
IMAP[NOTE]: Connected (success)
IMAP[DATA]: < * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] howdy, ready.\r\n
IMAP[DATA]: > TAG1 AUTHENTICATE PLAIN\r\n
IMAP[DATA]: < + \r\n
IMAP[SECURE]: > *******\r\n
IMAP[DATA]: < TAG1 OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY STATUS=SIZE SAVEDATE LITERAL+ NOTIFY SPECIAL-USE COMPRESS=DEFLATE QUOTA] Logged in\r\n
AJAX[DATA]: {"Action":"Login","Result":true,"Time":2119}
IMAP[DATA]: > TAG2 LOGOUT\r\n
IMAP[DATA]: < * BYE Logging out\r\n
IMAP[DATA]: < TAG2 OK Logout completed (0.001 + 0.000 secs).\r\n
IMAP[NOTE]: Disconnected from "ssl://imap.example.net:993" (success)
INFO[MEMORY]: Memory peak usage: 2MB
INFO[TIME]: Time delta: 2.3106529712677
--
Guilhem.
0 new messages