Roundcube Still Has That Major Security Flaw!!!!!

simplistsims · August 10, 2006, 10:31:08 AM

I noticed with the new version of roundcube I can still log in with only my password. I was told this flaw was resolved but it looks like it wasn't. I would really like to see the resolved aswell as other people. Anyone can try and use a dictionary attack to login without the need to find a e-mail address/login.

Slug · August 10, 2006, 10:49:36 AM

well I just tried to log in with ONLY my password, it it failed.. so I works for me ...

Michael

simplistsims · August 10, 2006, 10:56:09 AM

what kinda error came up?

Slug · August 10, 2006, 11:23:16 AM

Quote from: simplistsims what kinda error came up?

"log in Failed"

Michael

flash · August 10, 2006, 12:44:45 PM

Login failed for me as well.

KeblerelfKC · August 10, 2006, 02:34:44 PM

I tried the passwords for a few different accounts and all mine failed as well. You're using the 0.1 Beta 2 version right?

simplistsims · August 11, 2006, 08:26:44 AM

yeah i am

richardt · August 13, 2006, 08:30:52 PM

"Login Failed" here too...

Delta-9 · August 14, 2006, 04:27:12 PM

login worked for me w/ only the password.

For those that have the problem 'fixed' do you have multiple users on your roundcube install?

I only have one account (mine) on my roundcube install, so I am just wondering if that has anything to do with it. This isnt a major concern of mine, since I am the only one that uses this and I am the only one that knows my password.

KeblerelfKC · August 14, 2006, 10:01:14 PM

Yeah...have multiple users in my case.

flash · August 14, 2006, 10:22:56 PM

What do you mean multiple users? RC does not know how many users are going to use it.

What setting in the config file are you talking about? Maybe that is the key. What ever config value you have set, maybe we don't.

KeblerelfKC · August 16, 2006, 12:32:02 AM

My assumption was that they meant multiple records in the RC users table.

poncho · August 16, 2006, 05:44:37 AM

I have only one mail account (my own) and yes, I can login with only my password.

But I don't think this is a critical bug. The username is bla@domain.de for me and everyone can see it.
The password is the secret thing and without it you can do nothing

moroswitie · August 16, 2006, 08:14:38 AM

I checked it, and this is wat it gave,

fresh install, no users stored in the mysql database

-------
Logged in with user succesfully =>
logged out =>
closed browser (firefox) =>
opened new browser window entered only password; succesfully logged in =>
=>
opened new browser windows (ie) entered only password; succesfully logged in
-------
-------
Logged in with different user succesfully =>
logged out =>
closed browser (firefox) =>
opened new browser window, entered only password (for this user); logging in failed =>
=>
opened new browser windows (ie), entered only password (for this user); logging in failed
-------
-------
opened new browser window, entered only password for the first user I logged in with; succesfully logged in

Slug · August 17, 2006, 09:19:27 AM

Quote from: Delta-9 For those that have the problem 'fixed' do you have multiple users on your roundcube install?

Yes 2 users ...

Michael