thr3ads.net - Secure testing team - [Secure-testing-team] Bug#614302: dtc-common: sends password of new users to site admin by unencrypted email [Feb 2011]

If this information is useful, please help other people find it:
Share via:

Twitter
Facebook
Email

Ansgar Burchardt

2011-Feb-20 22:02 UTC

[Secure-testing-team] Bug#614302: dtc-common: sends password of new users to site admin by unencrypted email

Package: dtc-common
Version: 0.29.17-1
Severity: grave
Tags: upstream security

dtc sends the password of new users to the webmaster:

  $mail_content = "
  Somebody tried to register an account. Here is the details of
  the new user:

  login: ".$_REQUEST["reqadm_login"]."
  pass: ".$_REQUEST["reqadm_pass"]."
  [...]
  mail($conf_webmaster_email_addr, "$conf_message_subject_header Somebody
tried to register an account", $mail_content, $headers);

(from client/new_account_form.php)

This mail is not encrypted.  I also don''t see any reason why the
webmaster should even know the password...

Ansgar

Secure testing team - Feb 2011 - Bug#614302: dtc-common: sends password of new users to site admin by unencrypted email

[Secure-testing-team] Bug#614302: dtc-common: sends password of new users to site admin by unencrypted email