search

Ericsson / exchangecalendar

Exchange 2007/2010/2013 Calendar, Tasks, Contacts and GAL Provider.
GNU General Public License v3.0
925 stars 112 forks source link

Password logged to Error Console #317

Closed logological closed 9 years ago

logological commented 9 years ago

When connecting to an Exchange server that uses SHA-1 certificates, the following log messages are visible in Thunderbird's error console:

This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1. https://USERNAME:PASSWORD@example.com/EWS/Exchange.asmx

The problem is that "USERNAME" and "PASSWORD" are my real username and password, as entered in exchangecalendar's configuration dialogs. The password should never be displayed in plaintext anywhere in the user interface, as this makes a shoulder-surfing attack trivial.

This is probably at least partially a security issue in Thunderbird itself (see Bug 1197791). However, the root of the problem may be that the exchangecalendar add-on is manually constructing an HTTPS URL which contains a password in the authority component, and then passing it to Lightning or Thunderbird. This is a known security risk and deprecated by RFC 3986. If exchangecalendar is the originator of this URL, then it should use a more secure method of passing the user's credentials to Lightning/Thunderbird.

gtnewton commented 9 years ago

I'm experiencing what I think might be a result of this. Installing the latest version of this plugin (Ubuntu 14.04, Thunderbird 38.2.0, Lightning 4.0.2) I get 401 responses from the server (that is, I see 401 in the console output). I assume it's because our Exchange admins have turned of the ability to log in using this method. The result, of course, is that I can't authenticate and use the Exchange calendar at all.

fraterrisus commented 9 years ago

Ditto @gtnewton 's comment above.

bavincen commented 9 years ago

@logological Post Your log where actually the lines occurring Thanks a lot

logological commented 9 years ago

@bavincen Nice try; i am not posting my username and password to my Exhcange server here.

bavincen commented 9 years ago

@logological i dont want to tell you to post yor username password,, youcan substitute and post actual log or give us pull request

bavincen commented 9 years ago

Ok Guys! i tried to find this line where it occurs but failed.. i recreated my calendar to check where this lines are coming still unable to find the issue..

What do we do now?

logological commented 9 years ago

As far as I can tell, Thunderbird has no way of exporting an error log, so attached find a screenshot with the URL containing my username and password blacked out. I don't think there's any more information here than what I posted in the original issue report above. thunderbird_log

logological commented 9 years ago

The underlying problem has been fixed in the Mozilla source. It will be incorporated into an upcoming release (Thunderbird 43, probably).

etanol commented 8 years ago

For the record, this is the official fix pending to propagate to the release channels. The Bugzilla report seems to be protected, though.