Roundcube Community Forum

 

passwords sent in clear text

Started by ralf223, February 15, 2017, 06:19:21 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

ralf223

February 15, 2017, 06:19:21 PM
Hello -

After logging in to Roundcube (0.7), my password remains visible in plain text (!) in the browser history. Even days later, someone can potentially log into my account by typing a single letter into the browser's URL field. They can also retrieve my email address and password.

Is this normal, or does my mail administrator (tuffmail.com) have Roundcube configured wrong somehow? Has this been addressed in a later release?

Thanks for any advice,
RB

SKaero

#1
February 15, 2017, 11:43:44 PM
Wow, thats bad on so many levels.

1. Password remains visible in plain text in the browser history
This is a Tuffmail problem. You'll notice the file is "rclogin-2.php" that isn't a Roundcube file its something that Tuffmail has built. Badly.

2. Roundcube (0.7)
It seems that Tuffmail offers two version of Roundcube, both of which are extremely out of date with known security vulnerabilities
0.7.2 - released March 11, 2012 (nearly 5 years out of date)
0.5.3 - released June 02, 2011 (over 5 and 1/2 years out of date), and not even the last release in the 0.5.x branch

Needless to say I'd recommend switching providers ASAP!

ralf223

#2
February 16, 2017, 10:26:13 AM
Thanks for the prompt reply - that's very helpful. Will follow up with Tuffmail.

And thanks also for a great mail client!

RB

Print
Go Up Pages1
User actions