[SOGo] Exception in processing of unicode strings
Wolfgang Sourdeau
sogo@opengroupware.org
Wed, 21 Nov 2007 09:14:28 -0500
Le Mercredi 21 Novembre 2007 08:43 EST, Helge Hess <helge.hess@opengroupware.org> a =C3=A9crit:
> On 21.11.2007, at 10:12, Ivanov Dmitri wrote:
> > 172.16.0.215 - - [21/Nov/2007:11:57:28 GMT] "POST /SOGo/so/connect?
> > userName=3Divanov_dv&password=3DXXXXXX HTTP/1.1" 204 0/0 0.478 - - 992K
>
>
> Oh oh, *major* security flaw! The password is transferred in the
> URL??? Or did you add that manually for your debugging?
> [its already a POST, so no reason to transfer the password in the URL]
It's actually done as a GET through an AJAX request. It's not there for debugging but to do it fast (POST requests are less easy to implement through AJAX).
We are anyway going to replace it with a POST for RC2. So the password will no longer appear in the log files.
However, SSL encryption is and will always be recommended...
--
Wolfgang Sourdeau
T: +1 514 989-2000 ext. 2602 C: +1 514 755-3520
AVIS - Ce courriel pourrait contenir des renseignements confidentiels ou
privil=C3=A9gi=C3=A9s. Si vous n'en =C3=AAtes pas le v=C3=A9ritable destinataire, veuillez nous
aviser imm=C3=A9diatement. Merci.
NOTICE - This e-mail may contain confidential or privileged information.
If you are not the intended recipient, please notify us immediately. Thank you.