Security Advisory 08 for Kolab Server
Bernhard Herzog
bernhard.herzog at intevation.de
Fri Jan 13 20:41:48 CET 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kolab Security Issue 08 20060113
================================
Package: Kolab Server
Vulnerability: Verbose logging for connections to port 465 (ssmtp)
includes the credentials of the connecting users.
Passwords might leak through this.
Kolab Specific: yes
Impact: high
Details
- -------
With the default configuration of the Kolab server, when a client
connects to port 465 for secure SMTP and tries to authenticate itself
the credentials will be logged in /kolab/var/postfix/log/postfix.log.
Other unix users on the server system may be able to read that file and
learn passwords from it.
Note that usually postfix.log is world readable with permissions 0644.
You can change this with chmod and in /kolab/etc/fsl/fsl.postfix.
Affected Versions
- -----------------
Vulnerable: Stable Kolab Servers 2.0.1 2.0.2
Untested: Kolab Server 2.0
Vulnerable: Development Kolab Servers <= pre-2.1-20051215
Fixes
- -----
Upgrade to Kolab Server 2.0.3
Alternatively: Remove the "-v" option from the line starting with "465"
in the master.cf.template and then run kolabconf to refresh postfix.
Timeline
- --------
2005-11-02 Issue968 was filed, assumed logging only on failure.
2005-12-19 Discovered that logging happened alway.
2006-01-04 Security implications of world readable logfile noticed.
2006-01-11 Analysis, fix and new server release with fix.
2006-01-13 Advisory published.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFDyADQ0vCiU5+ISsgRAgfsAJ0bqau6XerXsXk5VIO4L0rOT+DK1ACcDY4l
919ok7QQhuz/ntulPfNugKA=
=vTb2
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.kolab.org/pipermail/users/attachments/20060113/d73292e8/attachment.sig>
More information about the users
mailing list