Package: freepops Version: 0.0.98-2 Severity: grave Tags: security Justification: user security hole
Hi, I have been using freepops for a while for accessing some of my accounts and I just discovered that the hotmail plugin seems to have a *very* nasty side-effect: it creates a world-readable file named log_raw.txt right under the root directory and it contains sensitive information (the whole transaction/contents of the emails): Here is an excerpt from such file that does *not* contain sensitive information: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Fri Apr 14 09:02:50 2006 : Session removed (STAT Failure) - Account: [EMAIL PROTECTED] Fri Apr 14 09:05:32 2006 : Entering login Fri Apr 14 09:05:43 2006 : Successful login Fri Apr 14 11:14:41 2006 : Entering login Fri Apr 14 11:14:52 2006 : Successful login - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Given the problem of such a breach, I'd think that the current recommendation would be to disable the module. Other modules may be affected by the same problem (I don't know, as I don't use many of them). Please, let me know if more information is needed. Thanks, Rogério Brito. -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (900, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/dash Kernel: Linux 2.6.16.5-1 Locale: LANG=C, LC_CTYPE=pt_BR (charmap=ISO-8859-1) Versions of packages freepops depends on: ii debconf [debconf-2.0] 1.4.72 Debian configuration management sy ii libc6 2.3.6-3 GNU C Library: Shared libraries an ii libcurl3-gnutls 7.15.3-1 Multi-protocol file transfer libra ii libexpat1 1.95.8-3 XML parsing C library - runtime li ii libgcrypt11 1.2.2-1 LGPL Crypto library - runtime libr ii lsb-base 3.0-16 Linux Standard Base 3.0 init scrip freepops recommends no packages. -- debconf information: * freepops/jail: false * freepops/init: true -- Rogério Brito : [EMAIL PROTECTED] : http://www.ime.usp.br/~rbrito Homepage of the algorithms package : http://algorithms.berlios.de Homepage on freshmeat: http://freshmeat.net/projects/algorithms/
