search

olia-dev / kopano-webapp-fetchmail

The Plugin allows the user to configure one or more accounts to be polled via fetchmail inside of Kopano WebApp.
Other
7 stars 6 forks source link

Possible way to brick a working Installation - changeAESKey.php #3

Closed olia-dev closed 6 years ago

olia-dev commented 6 years ago

The file 'changeAESKey.php' can be called via direct link and can brick a working Installation of this plugin.

Executing it will decrypt all stored passwords in the Database with a false AES key and re-encrypt those passwords with the same false key and store them in a Database. At no point it actually leaks any stored information, it just forces users to reenter their stored passwords.

Solution: Remove the file 'changeAESKey.php' and release a new build with an empty 'changeAESKey.php' file to make sure it gets overwritten.

olia-dev commented 6 years ago

fixed

thanks to: Andreas Brodowski (aka dw2412) for making me aware of this bug.