Roundcube Still Has That Major Security Flaw!!!!!

[simplistsims]

I noticed with the new version of roundcube I can still log in with only my password. I was told this flaw was resolved but it looks like it wasn't. I would really like to see the resolved aswell as other people. Anyone can try and use a dictionary attack to login without the need to find a e-mail address/login.

[Slug]

well I just tried to log in with ONLY my password, it it failed.. so I works for me ...


Michael

[simplistsims]

what kinda error came up?

[Slug]

what kinda error came up?

"log in Failed"

Michael

[flash]

Login failed for me as well.

[KeblerelfKC]

I tried the passwords for a few different accounts and all mine failed as well. You're using the 0.1 Beta 2 version right?

[simplistsims]

yeah i am

[richardt]

"Login Failed" here too...  

[Delta-9]

login worked for me w/ only the password.

For those that have the problem 'fixed' do you have multiple users on your roundcube install?

I only have one account (mine) on my roundcube install, so I am just wondering if that has anything to do with it. This isnt a major concern of mine, since I am the only one that uses this and I am the only one that knows my password.

[KeblerelfKC]

Yeah...have multiple users in my case.

[flash]

What do you mean multiple users? RC does not know how many users are going to use it.

What setting in the config file are you talking about? Maybe that is the key. What ever config value you have set, maybe we don't.

[KeblerelfKC]

My assumption was that they meant multiple records in the RC users table.

[poncho]

I have only one mail account (my own) and yes, I can login with only my password.

But I don't think this is a critical bug. The username is bla@domain.de for me and everyone can see it.
The password is the secret thing and without it you can do nothing

[moroswitie]

I checked it, and this is wat it gave,

fresh install, no users stored in the mysql database

-------
Logged in with user succesfully =>
logged out =>
closed browser (firefox) =>
opened new browser window entered only password; succesfully logged in =>
=>
opened new browser windows (ie) entered only password; succesfully logged in
-------
-------
Logged in with different user succesfully =>
logged out =>
closed browser (firefox) =>
opened new browser window, entered only password (for this user); logging in failed =>
=>
opened new browser windows (ie), entered only password (for this user); logging in failed
-------
-------
opened new browser window, entered only password for the first user I logged in with; succesfully logged in

[Slug]

For those that have the problem 'fixed' do you have multiple users on your roundcube install?

Yes 2 users ...

Michael