You are viewing a plain text version of this content. The canonical link for it is here.

Posted to server-dev@james.apache.org by bu...@apache.org on 2002/07/27 20:52:05 UTC

DO NOT REPLY [Bug 11234] New: - User passwords are displayed in the log

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11234>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11234

User passwords are displayed in the log

           Summary: User passwords are displayed in the log
           Product: James
           Version: 2.0a3
          Platform: Other
        OS/Version: Other
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: POP3Server
        AssignedTo: james-dev@jakarta.apache.org
        ReportedBy: farsight@alum.mit.edu


Contrary to standard security practices, the POP3Handler displays the user 
password in the log.  This allows the administrator or anyone with read-only 
access to the server logs to gain access to users' mailboxes.  Very bad.  Very 
easy fix.

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>