Search The ForumSearch   RegisterRegister  LoginLogin

AfterLogic WebMail Lite 7
 AfterLogic Forum : AfterLogic WebMail Lite 7
Subject Topic: Possible security issue Post ReplyPost New Topic
Author
Message << Prev Topic | Next Topic >>
nsine
Newbie
Newbie


Joined: 02 September 2015
Location: Belgium
Online Status: Offline
Posts: 3
Posted: 02 September 2015 at 11:38pm | IP Logged Quote nsine
Hi,

i am new to the afterlogic webmail lite forum.

recently i have changed my imap server settings, when i tried the afterlogic login it failed because the port was wrongly specified in the settings.xml.
that is as expected.
but when i checked the logs, i found my login + password in clear text in the logs:



[06:15:53.36][b5731237] IMAP[NOTICE]: exception 'MailSo\Net\Exceptions\SocketCanNotConnectToHostException' with message 'Can't connect to host "ssl://127.0.0.1:993"' i$
Stack trace:
#0 /usr/share/afterlogic/libraries/MailSo/Imap/ImapClient.php(149): MailSo\Net\NetClient->Connect('127.0.0.1', 993, 1, false)
#1 /usr/share/afterlogic/libraries/afterlogic/common/managers/mail/manager.php(91): MailSo\Imap\ImapClient->Connect('127.0.0.1', 993, 1, false)
#2 /usr/share/afterlogic/libraries/afterlogic/common/managers/mail/manager.php(143): CApiMailManager->_getImapClient(Object(CAccount))
#3 /usr/share/afterlogic/libraries/afterlogic/common/managers/integrator/manager.php(775): CApiMailManager->validateAccountConnection(Object(CAccount))
#4 /usr/share/afterlogic/libraries/ProjectCore/Actions.php(2880): CApiIntegratorManager->loginToAccount('****CLEAR TEXT LOGIN****', '****CLEAR TEXT PASSWORD****', '', 'English')
#5 [internal function]: ProjectCore\Actions->AjaxSystemLogin()
#6 /usr/share/afterlogic/libraries/ProjectCore/Service.php(290): call_user_func(Array)
#7 /usr/share/afterlogic/libraries/ProjectCore/Boot.php(12): ProjectCore\Service->Handle()
#8 /usr/share/afterlogic/index.php(104): include('/usr/share/afte...')
#9 {main}
[06:15:53.36][b5731237] Previous Exception: Can't connect to host "ssl://127.0.0.1:993"
[06:15:53.41][b5731237] exception 'CApiManagerException' with message 'Connect to mail server failed' in /usr/share/afterlogic/libraries/afterlogic/common/managers/mai$
Stack trace:
#0 /usr/share/afterlogic/libraries/afterlogic/common/managers/integrator/manager.php(775): CApiMailManager->validateAccountConnection(Object(CAccount))
#1 /usr/share/afterlogic/libraries/ProjectCore/Actions.php(2880): CApiIntegratorManager->loginToAccount('****CLEAR TEXT LOGIN****', '****CLEAR TEXT PASSWORD****', '', 'English')
#2 [internal function]: ProjectCore\Actions->AjaxSystemLogin()
#3 /usr/share/afterlogic/libraries/ProjectCore/Service.php(290): call_user_func(Array)
#4 /usr/share/afterlogic/libraries/ProjectCore/Boot.php(12): ProjectCore\Service->Handle()
#5 /usr/share/afterlogic/index.php(104): include('/usr/share/afte...')
#6 {main}


please note that the logfile is world readable:
-rw-r--r-- 1 www-data www-data 414460 Sep 3 08:35 log-2015-09-03.txt



is this known an normal behavior?


Back to Top View nsine's Profile Search for other posts by nsine
 
nsine
Newbie
Newbie


Joined: 02 September 2015
Location: Belgium
Online Status: Offline
Posts: 3
Posted: 02 September 2015 at 11:48pm | IP Logged Quote nsine
more info:

i know the loglevel is set to debug or "HIGH"
this causes the login and password to be logged.

maybe there can be a note near the logsetting debug?
i dont know if every admin will expect this behavior?
Back to Top View nsine's Profile Search for other posts by nsine
 
Igor
AfterLogic Support
AfterLogic Support


Joined: 24 June 2008
Location: United States
Online Status: Offline
Posts: 6040
Posted: 03 September 2015 at 3:49am | IP Logged Quote Igor
Hello,

Can you please confirm you're running current 7.6 release of WebMail Lite? You should be able to find version number in /usr/share/afterlogic/VERSION file.

--
Regards,
Igor, AfterLogic Support
Back to Top View Igor's Profile Search for other posts by Igor
 
nsine
Newbie
Newbie


Joined: 02 September 2015
Location: Belgium
Online Status: Offline
Posts: 3
Posted: 03 September 2015 at 10:55am | IP Logged Quote nsine
Hi Igor,

yes i am running version: 7.6.2
Back to Top View nsine's Profile Search for other posts by nsine
 
Igor
AfterLogic Support
AfterLogic Support


Joined: 24 June 2008
Location: United States
Online Status: Offline
Posts: 6040
Posted: 04 September 2015 at 5:19am | IP Logged Quote Igor
Thank you. I've checked that with the developers, they state there is no control over the information which is part of stack trace output in the log - authentication method has login and password as parameters, which is why they are part of stack trace output.

--
Regards,
Igor, AfterLogic Support
Back to Top View Igor's Profile Search for other posts by Igor
 

If you wish to post a reply to this topic you must first login
If you are not already registered you must first register

  Post ReplyPost New Topic
Printable version Printable version

Forum Jump

Powered by Web Wiz Forums version 7.9
Copyright ©2001-2004 Web Wiz Guide