Author Topic: Roundcube Still Has That Major Security Flaw!!!!!  (Read 12682 times)

Offline simplistsims

  • Jr. Member
  • **
  • Posts: 66
Roundcube Still Has That Major Security Flaw!!!!!
« on: August 10, 2006, 10:31:08 AM »
I noticed with the new version of roundcube I can still log in with only my password. I was told this flaw was resolved but it looks like it wasn't. I would really like to see the resolved aswell as other people. Anyone can try and use a dictionary attack to login without the need to find a e-mail address/login.
Duca Duca Duca Duca - Dr. Evil *Say it fast*

Offline Slug

  • Jr. Member
  • **
  • Posts: 76
Re: Roundcube Still Has That Major Security Flaw!!!!!
« Reply #1 on: August 10, 2006, 10:49:36 AM »
well I just tried to log in with ONLY my password, it it failed.. so I works for me ... 8)


Michael
Roundcube SVN 1335|PHP 5.2.4|hMailServer 5|Win 2003 SP2|IIS 6

Offline simplistsims

  • Jr. Member
  • **
  • Posts: 66
Re: Roundcube Still Has That Major Security Flaw!!!!!
« Reply #2 on: August 10, 2006, 10:56:09 AM »
what kinda error came up?
Duca Duca Duca Duca - Dr. Evil *Say it fast*

Offline Slug

  • Jr. Member
  • **
  • Posts: 76
Re: Roundcube Still Has That Major Security Flaw!!!!!
« Reply #3 on: August 10, 2006, 11:23:16 AM »
Quote from: simplistsims
what kinda error came up?

"log in Failed"

Michael
Roundcube SVN 1335|PHP 5.2.4|hMailServer 5|Win 2003 SP2|IIS 6

Offline flash

  • Jr. Member
  • **
  • Posts: 49
Password only does not let me login
« Reply #4 on: August 10, 2006, 12:44:45 PM »
Login failed for me as well.

Offline KeblerelfKC

  • Jr. Member
  • **
  • Posts: 17
Re: Roundcube Still Has That Major Security Flaw!!!!!
« Reply #5 on: August 10, 2006, 02:34:44 PM »
I tried the passwords for a few different accounts and all mine failed as well. You're using the 0.1 Beta 2 version right?

Offline simplistsims

  • Jr. Member
  • **
  • Posts: 66
Re: Roundcube Still Has That Major Security Flaw!!!!!
« Reply #6 on: August 11, 2006, 08:26:44 AM »
yeah i am
Duca Duca Duca Duca - Dr. Evil *Say it fast*

Offline richardt

  • Jr. Member
  • **
  • Posts: 22
Re: Roundcube Still Has That Major Security Flaw!!!!!
« Reply #7 on: August 13, 2006, 08:30:52 PM »
"Login Failed" here too...  ;)

Offline Delta-9

  • Jr. Member
  • **
  • Posts: 35
Re: Roundcube Still Has That Major Security Flaw!!!!!
« Reply #8 on: August 14, 2006, 04:27:12 PM »
login worked for me w/ only the password.

For those that have the problem 'fixed' do you have multiple users on your roundcube install?

I only have one account (mine) on my roundcube install, so I am just wondering if that has anything to do with it. This isnt a major concern of mine, since I am the only one that uses this and I am the only one that knows my password.


Offline KeblerelfKC

  • Jr. Member
  • **
  • Posts: 17
Re: Roundcube Still Has That Major Security Flaw!!!!!
« Reply #9 on: August 14, 2006, 10:01:14 PM »
Yeah...have multiple users in my case.

Offline flash

  • Jr. Member
  • **
  • Posts: 49
Re: Roundcube Still Has That Major Security Flaw!!!!!
« Reply #10 on: August 14, 2006, 10:22:56 PM »
What do you mean multiple users? RC does not know how many users are going to use it.

What setting in the config file are you talking about? Maybe that is the key. What ever config value you have set, maybe we don't.

Offline KeblerelfKC

  • Jr. Member
  • **
  • Posts: 17
Re: Roundcube Still Has That Major Security Flaw!!!!!
« Reply #11 on: August 16, 2006, 12:32:02 AM »
My assumption was that they meant multiple records in the RC users table.

Offline poncho

  • Jr. Member
  • **
  • Posts: 12
Re: Roundcube Still Has That Major Security Flaw!!!!!
« Reply #12 on: August 16, 2006, 05:44:37 AM »
I have only one mail account (my own) and yes, I can login with only my password.

But I don't think this is a critical bug. The username is bla@domain.de for me and everyone can see it.
The password is the secret thing and without it you can do nothing :)

Offline moroswitie

  • Newbie
  • *
  • Posts: 2
Re: Roundcube Still Has That Major Security Flaw!!!!!
« Reply #13 on: August 16, 2006, 08:14:38 AM »
I checked it, and this is wat it gave,

fresh install, no users stored in the mysql database

-------
Logged in with user succesfully =>
logged out =>
closed browser (firefox) =>
opened new browser window entered only password; succesfully logged in =>
=>
opened new browser windows (ie) entered only password; succesfully logged in
-------
-------
Logged in with different user succesfully =>
logged out =>
closed browser (firefox) =>
opened new browser window, entered only password (for this user); logging in failed =>
=>
opened new browser windows (ie), entered only password (for this user); logging in failed
-------
-------
opened new browser window, entered only password for the first user I logged in with; succesfully logged in

Offline Slug

  • Jr. Member
  • **
  • Posts: 76
Re: Roundcube Still Has That Major Security Flaw!!!!!
« Reply #14 on: August 17, 2006, 09:19:27 AM »
Quote from: Delta-9
For those that have the problem 'fixed' do you have multiple users on your roundcube install?

Yes 2 users ...

Michael
Roundcube SVN 1335|PHP 5.2.4|hMailServer 5|Win 2003 SP2|IIS 6