SSL IMAP account sends plaintext passwords in the clear
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
evolution (Ubuntu) |
Invalid
|
Medium
|
Ubuntu Desktop Bugs |
Bug Description
Binary package hint: evolution
version is 2.23.6 from intrepid
On installing evolution packages from intrepid on of my email accounts starts prompting me for my IMAP password and rejects it telling me LOGIN is disabled. It no longer lets me retrieve mail (other accounts seem fine).
Assuming it might be an SSL negotiation issue I run a packet sniffer and captured the following (some obfuscation)
IMAP traffic:
-------
* OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS STARTTLS LOGINDISABLED AUTH=CRAM-MD5] imap.example.com IMAP4rev1 2003.339 at Thu, 14 Aug 2008 14:59:40 +0100 (BST)
C00000 CAPABILITY
* CAPABILITY IMAP4REV1 IDLE NAMESPACE MAILBOX-REFERRALS BINARY UNSELECT SCAN SORT THREAD=REFERENCES THREAD=
C00000 OK CAPABILITY completed
C00001 LOGIN myusername myplaintextpassword
C00001 NO LOGIN failed
C00002 LOGOUT
* BYE imap.example.com IMAP4rev1 server terminating connection
C00002 OK LOGOUT completed
-------
I was somewhat surprised to see my credentials sent in plain text over a non-encrypted connection, especially since
* I've configured to use SSL
* I've configured to use CRAM-MD5
* The client is attempting LOGIN despite the server advertising LOGINDISABLED (RFC2595) as a capability
* !
This is the relevant configuration fragment from my gconf configuration:
<url>imap:
I've run a session with the camel debug output and tried to pull out the relevent parts:
It does authenticate ok using cram-md5 over an SSL connection: ------- ------- ------- ---
-------
full_ name:received: * OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS AUTH=CRAM-MD5 AUTH=PLAIN AUTH=LOGIN] imap.example.com IMAP4rev1 2003.339 at Thu, 14 Aug 2008 15:53:19 +0100 (BST) ORDEREDSUBJECT MULTIAPPEND LOGIN-REFERRALS AUTH=CRAM-MD5 AUTH=PLAIN AUTH=LOGIN server- ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results) server- ui-Message: Key file does not have key 'imap:_ _myusername; <email address hidden>com_' ..]Pg== ORDEREDSUBJECT MULTIAPPEND] User myusername authenticated
sending : B00000 CAPABILITY
received: * CAPABILITY IMAP4REV1 IDLE NAMESPACE MAILBOX-REFERRALS BINARY UNSELECT SCAN SORT THREAD=REFERENCES THREAD=
received: B00000 OK CAPABILITY completed
e-data-
e-data-
sending : B00001 AUTHENTICATE CRAM-MD5
received: + PDI[...the cram-md5 authenication.
received: B00001 OK [CAPABILITY IMAP4REV1 IDLE NAMESPACE MAILBOX-REFERRALS BINARY UNSELECT SCAN SORT THREAD=REFERENCES THREAD=
It gets the listing of the folders and subscribed folders OK: ------- ------- ------- ------- ------- ------- ------- ---
-------
received: B00002 OK NAMESPACE completed
sending : B00003 LIST "" "*"
[etc]
received: * LIST
received: B00003 OK LIST completed
sending : B00004 LSUB "" "*"
received: * LSUB (\NoInferiors) NIL INBOX
[etc]
received: B00004 OK LSUB completed
Then for some reason decides it didn't like the OK response? ------- ------- ------- ------- ------- ------- ------- ---- setv((nil) , 303, 'Unexpected OK response from IMAP server: B00001 OK [CAPABILITY IMAP4REV1 IDLE NAMESPACE MAILBOX-REFERRALS BINARY UNSELECT SCAN SORT THREAD=REFERENCES THREAD= ORDEREDSUBJECT MULTIAPPEND] User myusername authenticated')
-------
CamelException.
Now it attempts to query the sever again (not over SSL), and prompts for a password, I click cancel: ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- --- ORDEREDSUBJECT MULTIAPPEND LOGIN-REFERRALS STARTTLS LOGINDISABLED AUTH=CRAM-MD5 server- ui-Message: Unable to find password(s) in keyring (Keyring reports: No matching results) server- ui-Message: Key file does not have key 'imap:<email address hidden>'
-------
received: * OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS STARTTLS LOGINDISABLED AUTH=CRAM-MD5] imap.example.com IMAP4rev1 2003.339 at Thu, 14 Aug 2008 15:53:35 +0100 (BST)
sending : C00000 CAPABILITY
received: * CAPABILITY IMAP4REV1 IDLE NAMESPACE MAILBOX-REFERRALS BINARY UNSELECT SCAN SORT THREAD=REFERENCES THREAD=
received: C00000 OK CAPABILITY completed
e-data-
e-data-
sending : C00001 LOGOUT
received: * BYE imap.example.com IMAP4rev1 server terminating connection
It does it again, this time I give it the password - since LOGINDISABLED is in effect it will be rejected regardless: ------- ------- ------- ------- ------- ------- --
-------
received: * OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS STARTTLS LOGINDISABLED AUTH=CRAM-MD5] imap.example.com IMAP4rev1 2003.339 at Thu, 14 Aug 2008 15:54:01 +0100 (BST)
sending : C00000 CAPABILITY
received: * CAPABILITY IMAP4REV1 IDLE NAMESPACE M...