Ubuntu
evolution package

SSL IMAP account sends plaintext passwords in the clear

Bug #257906 reported by Lee Maguire on 2008-08-14

Affects		Status	Importance	Assigned to	Milestone
	evolution (Ubuntu)	Invalid	Medium	Ubuntu Desktop Bugs

Bug Description

Binary package hint: evolution

version is 2.23.6 from intrepid

On installing evolution packages from intrepid on of my email accounts starts prompting me for my IMAP password and rejects it telling me LOGIN is disabled. It no longer lets me retrieve mail (other accounts seem fine).

Assuming it might be an SSL negotiation issue I run a packet sniffer and captured the following (some obfuscation)
IMAP traffic:

------------------------------
* OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS STARTTLS LOGINDISABLED AUTH=CRAM-MD5] imap.example.com IMAP4rev1 2003.339 at Thu, 14 Aug 2008 14:59:40 +0100 (BST)
C00000 CAPABILITY
* CAPABILITY IMAP4REV1 IDLE NAMESPACE MAILBOX-REFERRALS BINARY UNSELECT SCAN SORT THREAD=REFERENCES THREAD=ORDEREDSUBJECT MULTIAPPEND LOGIN-REFERRALS STARTTLS LOGINDISABLED AUTH=CRAM-MD5
C00000 OK CAPABILITY completed
C00001 LOGIN myusername myplaintextpassword
C00001 NO LOGIN failed
C00002 LOGOUT
* BYE imap.example.com IMAP4rev1 server terminating connection
C00002 OK LOGOUT completed
------------------------------

I was somewhat surprised to see my credentials sent in plain text over a non-encrypted connection, especially since
* I've configured to use SSL
* I've configured to use CRAM-MD5
* The client is attempting LOGIN despite the server advertising LOGINDISABLED (RFC2595) as a capability
* !

This is the relevant configuration fragment from my gconf configuration:

<url>imap://myusername;<email address hidden>/;imap_custom_headers;command=ssh%20-C%20-l%20%25u%20%25h%20exec%20/usr/sbin/imapd;use_ssl=always;use_lsub</url>

Revision history for this message

Lee Maguire (leemaguire) wrote on 2008-08-14:

Download full text (3.6 KiB)

I've run a session with the camel debug output and tried to pull out the relevent parts:

It does authenticate ok using cram-md5 over an SSL connection:
-------------------------------

full_name:received: * OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS AUTH=CRAM-MD5 AUTH=PLAIN AUTH=LOGIN] imap.example.com IMAP4rev1 2003.339 at Thu, 14 Aug 2008 15:53:19 +0100 (BST)
sending : B00000 CAPABILITY
received: * CAPABILITY IMAP4REV1 IDLE NAMESPACE MAILBOX-REFERRALS BINARY UNSELECT SCAN SORT THREAD=REFERENCES THREAD=ORDEREDSUBJECT MULTIAPPEND LOGIN-REFERRALS AUTH=CRAM-MD5 AUTH=PLAIN AUTH=LOGIN
received: B00000 OK CAPABILITY completed
e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results)
e-data-server-ui-Message: Key file does not have key 'imap:__myusername;<email address hidden>com_'
sending : B00001 AUTHENTICATE CRAM-MD5
received: + PDI[...the cram-md5 authenication...]Pg==
received: B00001 OK [CAPABILITY IMAP4REV1 IDLE NAMESPACE MAILBOX-REFERRALS BINARY UNSELECT SCAN SORT THREAD=REFERENCES THREAD=ORDEREDSUBJECT MULTIAPPEND] User myusername authenticated

It gets the listing of the folders and subscribed folders OK:
-----------------------------------------------------------

received: B00002 OK NAMESPACE completed
sending : B00003 LIST "" "*"
[etc]
received: * LIST

received: B00003 OK LIST completed
sending : B00004 LSUB "" "*"
received: * LSUB (\NoInferiors) NIL INBOX
[etc]
received: B00004 OK LSUB completed

Then for some reason decides it didn't like the OK response?
------------------------------------------------------------
CamelException.setv((nil), 303, 'Unexpected OK response from IMAP server: B00001 OK [CAPABILITY IMAP4REV1 IDLE NAMESPACE MAILBOX-REFERRALS BINARY UNSELECT SCAN SORT THREAD=REFERENCES THREAD=ORDEREDSUBJECT MULTIAPPEND] User myusername authenticated')

Now it attempts to query the sever again (not over SSL), and prompts for a password, I click cancel:
-----------------------------------------------------------------------------------------------------
received: * OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS STARTTLS LOGINDISABLED AUTH=CRAM-MD5] imap.example.com IMAP4rev1 2003.339 at Thu, 14 Aug 2008 15:53:35 +0100 (BST)
sending : C00000 CAPABILITY
received: * CAPABILITY IMAP4REV1 IDLE NAMESPACE MAILBOX-REFERRALS BINARY UNSELECT SCAN SORT THREAD=REFERENCES THREAD=ORDEREDSUBJECT MULTIAPPEND LOGIN-REFERRALS STARTTLS LOGINDISABLED AUTH=CRAM-MD5
received: C00000 OK CAPABILITY completed
e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results)
e-data-server-ui-Message: Key file does not have key 'imap:<email address hidden>'
sending : C00001 LOGOUT
received: * BYE imap.example.com IMAP4rev1 server terminating connection

I've run a session with the camel debug output and tried to pull out the relevent parts:

It does authenticate ok using cram-md5 over an SSL connection:
-------------------------------

full_name:received: * OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS AUTH=CRAM-MD5 AUTH=PLAIN AUTH=LOGIN] imap.example.com IMAP4rev1 2003.339 at Thu, 14 Aug 2008 15:53:19 +0100 (BST)
sending : B00000 CAPABILITY
received: * CAPABILITY IMAP4REV1 IDLE NAMESPACE MAILBOX-REFERRALS BINARY UNSELECT SCAN SORT THREAD=REFERENCES THREAD=ORDEREDSUBJECT MULTIAPPEND LOGIN-REFERRALS AUTH=CRAM-MD5 AUTH=PLAIN AUTH=LOGIN
received: B00000 OK CAPABILITY completed
e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results)
e-data-server-ui-Message: Key file does not have key 'imap:__myusername;auth_CRAM-MD5@imap.example.com_'
sending : B00001 AUTHENTICATE CRAM-MD5
received: + PDI[...the cram-md5 authenication...]Pg==
received: B00001 OK [CAPABILITY IMAP4REV1 IDLE NAMESPACE MAILBOX-REFERRALS BINARY UNSELECT SCAN SORT THREAD=REFERENCES THREAD=ORDEREDSUBJECT MULTIAPPEND] User myusername authenticated

It gets the listing of the folders and subscribed folders OK:
-----------------------------------------------------------

received: B00002 OK NAMESPACE completed
sending : B00003 LIST "" "*"
[etc]
received: * LIST

received: B00003 OK LIST completed
sending : B00004 LSUB "" "*"
received: * LSUB (\NoInferiors) NIL INBOX
[etc]
received: B00004 OK LSUB completed

Now it attempts to query the sever again (not over SSL), and prompts for a password, I click cancel:
-----------------------------------------------------------------------------------------------------
received: * OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS STARTTLS LOGINDISABLED AUTH=CRAM-MD5] imap.example.com IMAP4rev1 2003.339 at Thu, 14 Aug 2008 15:53:35 +0100 (BST)
sending : C00000 CAPABILITY
received: * CAPABILITY IMAP4REV1 IDLE NAMESPACE MAILBOX-REFERRALS BINARY UNSELECT SCAN SORT THREAD=REFERENCES THREAD=ORDEREDSUBJECT MULTIAPPEND LOGIN-REFERRALS STARTTLS LOGINDISABLED AUTH=CRAM-MD5
received: C00000 OK CAPABILITY completed
e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results)
e-data-server-ui-Message: Key file does not have key 'imap:__myusername@imap.example.com'
sending : C00001 LOGOUT
received: * BYE imap.example.com IMAP4rev1 server terminating connection

It does it again, this time I give it the password - since LOGINDISABLED is in effect it will be rejected regardless:
---------------------------------------------------
received: * OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS STARTTLS LOGINDISABLED AUTH=CRAM-MD5] imap.example.com IMAP4rev1 2003.339 at Thu, 14 Aug 2008 15:54:01 +0100 (BST)
sending : C00000 CAPABILITY
received: * CAPABILITY IMAP4REV1 IDLE NAMESPACE MAILBOX-REFERRALS BINARY UNSELECT SCAN SORT THREAD=REFERENCES THREAD=ORDEREDSUBJECT MULTIAPPEND LOGIN-REFERRALS STARTTLS LOGINDISABLED AUTH=CRAM-MD5
received: C00000 OK CAPABILITY completed
e-data-server-ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results)
e-data-server-ui-Message: Key file does not have key 'imap:__myusername@imap.example.com'
sending : C00001 LOGIN xxx xxx
received: C00001 NO LOGIN failed

Revision history for this message

Sebastien Bacher (seb128) wrote on 2008-08-20:

thank you for your bug report, the issue seems to be an upstream could you open it on bugzilla.gnome.org where people write the code can reply?

Changed in evolution:
assignee:	nobody → desktop-bugs
importance:	Undecided → Medium

Revision history for this message

Pedro Villavicencio (pedro) wrote on 2008-08-27:

leaving this as incomplete until it gets forwarded upstream, thanks.

Changed in evolution:
status:	New → Incomplete

Revision history for this message

Sebastien Bacher (seb128) wrote on 2008-09-29:

could you send the bug to bugzilla since you get the issue and can reply to their comments?

Revision history for this message

Sebastien Bacher (seb128) wrote on 2008-09-29:

do you consider the issue similar to http://bugzilla.gnome.org/show_bug.cgi?id=531156?

Revision history for this message

Sebastien Bacher (seb128) wrote on 2008-10-16:

could you reply to the comments there?

Revision history for this message

Sebastien Bacher (seb128) wrote on 2008-11-03:

We are closing this bug report as it lacks the information, described in the previous comments, we need to investigate the problem further. However, please reopen it if you can give us the missing information and don't hesitate to submit bug reports in the future.

Changed in evolution:
status:	Incomplete → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

gnome-bugs #531156
[RESOLVED FIXED] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntuevolution package

SSL IMAP account sends plaintext passwords in the clear

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
evolution package