Thread: modify to roundcube to use GET instead of POST

Not sure what you're looking for, you seem to be pretty conscious of the task. Turn your $_POST's into $_GET's in the source code and make sure to request the pages as you've edited the source.

A huge drawback is the fact that your password will be stored in clear text in your httpds access logs (e.g. /var/log/apache2/access.log) unless you take action against it. What you could do is to send the hashed string to start the session instead of sending your password in clear text and let the server handle the hashing after your password's logged by your httpd. People will still be able to read the logs and access your inbox the same way you do, but they won't have your password. Using GET is really a play with plague or cholera.

Originally Posted by qnrq

Not sure what you're looking for, you seem to be pretty conscious of the task. Turn your $_POST's into $_GET's in the source code and make sure to request the pages as you've edited the source.

A huge drawback is the fact that your password will be stored in clear text in your httpds access logs (e.g. /var/log/apache2/access.log) unless you take action against it. What you could do is to send the hashed string to start the session instead of sending your password in clear text and let the server handle the hashing after your password's logged by your httpd. People will still be able to read the logs and access your inbox the same way you do, but they won't have your password. Using GET is really a play with plague or cholera.

i managed to modify the code & i can access the webmail directly without putting the username+password in the login screen.

to hide the password you are suggesting to use just a hash(e.g md5) or
two way encryption(using keys) ?

am thinking of using a two way encryption.

if i put the hashed password (e.g md5) in the url , then i won't be able to decrypt the password
or there is a way to do it with just md5 hashing??