Serveria Support
2022-Oct-11 14:22 UTC
Dovecot mail-crypt webmail can't read encrypted messages
Bingo! Great to see some like-minded person here John! Yeah, it's such an obvious vulnerability, I'm kinda surprised most people here don't see an issue with that. If I were a Dovecot Pro OX customer, I'd be very concerned with this "feature". Imagine hacking Protonmail's server, getting root access and seeing customers' password there in clear text? ))) On 2022-10-11 17:38, John Tulp wrote:> I find this conversation "interesting". > > Serveria, i think some can't see the attack scenario where the > attacker's goal is simply to get email passwords, and nothing else. it > would make sense for their strategy to do nothing else "bad" on the > server to attract attention to their intrusion. In that case, all > they > would do is send back the treasure trove of passwords to their home > server(s), and sit there, remaining possibly for years, hiding, > exploiting the fact that dovecot, with no code modification, will allow > them to grab email passwords. If a dovecot server has thousands of > email accounts, that represents thousands of other devices they could > target, which is worth much more to the attacker than a single dovecot > server. > > Oh well, food for thought. > > > On Tue, 2022-10-11 at 15:11 +0300, Serveria Support wrote: >> Yes, I realize that. But I can't think of a reason this password is >> necessary in the logs. It's kind of a backdoor and has to be removed >> from code. Why make intruder's life easier? >> >> On 2022-10-11 13:39, Arjen de Korte wrote: >> > Citeren Serveria Support <support at serveria.com>: >> > >> >> Yes, there is a tiny problem letting the attacker change this value >> >> back to yes and instantly get access to users' passwords in plain >> >> text. Apart from that - no problems at all. :) >> > >> > If an attacker is able to modify your Dovecot configuration, you have >> > bigger problems than leaking your users' password. Much bigger...
dovecot at ptld.com
2022-Oct-11 15:16 UTC
Dovecot mail-crypt webmail can't read encrypted messages
> Yeah, it's such an obvious vulnerability, I'm kinda surprised most people here don't see an issue with that.What people are trying to explain is the scenario you describe requires an attacker to have root privileges on the target server. If someone has root access to a server then your fears are moot and the suggestion to remove code logging passwords offers zero protection. If someone has root they can just read the email storage files, no password needed. If someone has root, and dovecot has no code showing passwords in logs, the attacker can build THEIR OWN version of dovecot that "key-logs" all passwords to a remote server WITHOUT displaying passwords in the logs. This is what people mean when they say if someone has root you have bigger problems then dovecot logging.