Hi, It turned out, that only IMAP-Passwords are stored in the preferences.js after the Communicator process is correctly terminated. POP passwords are stored in preferences.js, at the first time you fetch mail from the server and cleared at Communicator exit. This happened using C4.5 on Sun Solaris. Some of you may reproduce this for other OS's and send me any feedback (NOT via bugtraq). Even this is a security problem: - Using an multiuser-OS like Unix: an evil user may access the preferences file, while you are working with Communicator. - Files may be accessible via network shares. - In a crash situation the password may not be cleared from the preferences.js - In this case the "Quality Feedback Agent" (QFA) may, if you allow him to do so, transfer the preferences.js (w. crypted password) via Internet, (readable at any host on the way to Netscape Corp.) Be aware that the encryption of the password gives *NO* security. You don't need to know the decryption-algorithm, because Communicator itself can do the decryption for you. By using a packet sniffer (like HD-MOORE) or setting up a patched IMAP-/POP-Server with a password logging facility, you can easily get the plaintext-passwords. Regards, Holger van Lengerich ---------------------------------------------------------------------------- Holger van Lengerich - University of Paderborn - Dept. of Computer Science System-Administration - Warburger Str. 100 - D 33098 Paderborn - Germany mailto:gimli@uni-paderborn.de - http://www.uni-paderborn.de/admin/gimli
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:22:22 PDT