Roundcube Community Forum

 

Roundcube Still Has That Major Security Flaw!!!!!

Started by simplistsims, August 10, 2006, 10:31:08 AM

Previous topic - Next topic

simplistsims

I noticed with the new version of roundcube I can still log in with only my password. I was told this flaw was resolved but it looks like it wasn't. I would really like to see the resolved aswell as other people. Anyone can try and use a dictionary attack to login without the need to find a e-mail address/login.
Duca Duca Duca Duca - Dr. Evil *Say it fast*

Slug

well I just tried to log in with ONLY my password, it it failed.. so I works for me ... 8)


Michael
Roundcube SVN 1335|PHP 5.2.4|hMailServer 5|Win 2003 SP2|IIS 6

simplistsims

Duca Duca Duca Duca - Dr. Evil *Say it fast*

Slug

Quote from: simplistsims what kinda error came up?

"log in Failed"

Michael
Roundcube SVN 1335|PHP 5.2.4|hMailServer 5|Win 2003 SP2|IIS 6

flash


KeblerelfKC

I tried the passwords for a few different accounts and all mine failed as well. You're using the 0.1 Beta 2 version right?

simplistsims

Duca Duca Duca Duca - Dr. Evil *Say it fast*

richardt


Delta-9

login worked for me w/ only the password.

For those that have the problem 'fixed' do you have multiple users on your roundcube install?

I only have one account (mine) on my roundcube install, so I am just wondering if that has anything to do with it. This isnt a major concern of mine, since I am the only one that uses this and I am the only one that knows my password.


KeblerelfKC


flash

What do you mean multiple users? RC does not know how many users are going to use it.

What setting in the config file are you talking about? Maybe that is the key. What ever config value you have set, maybe we don't.

KeblerelfKC

My assumption was that they meant multiple records in the RC users table.

poncho

I have only one mail account (my own) and yes, I can login with only my password.

But I don't think this is a critical bug. The username is bla@domain.de for me and everyone can see it.
The password is the secret thing and without it you can do nothing :)

moroswitie

I checked it, and this is wat it gave,

fresh install, no users stored in the mysql database

-------
Logged in with user succesfully =>
logged out =>
closed browser (firefox) =>
opened new browser window entered only password; succesfully logged in =>
=>
opened new browser windows (ie) entered only password; succesfully logged in
-------
-------
Logged in with different user succesfully =>
logged out =>
closed browser (firefox) =>
opened new browser window, entered only password (for this user); logging in failed =>
=>
opened new browser windows (ie), entered only password (for this user); logging in failed
-------
-------
opened new browser window, entered only password for the first user I logged in with; succesfully logged in

Slug

Quote from: Delta-9 For those that have the problem 'fixed' do you have multiple users on your roundcube install?

Yes 2 users ...

Michael
Roundcube SVN 1335|PHP 5.2.4|hMailServer 5|Win 2003 SP2|IIS 6