| Author |
|
tigertech
Newbie
Joined: 21 November 2019
Online Status: Offline
Posts: 23
|
| Posted: 21 November 2019 at 5:12pm | IP Logged
|
|
|
I'm experimenting with Webmail Lite 8. It looks like a good product.
I noticed that in the MySQL database "au_eav_attributes_string" table, it stores an encrypted "IncomingPassword" for each user that looks like, say, "UdEjD0Vt55OXV71wq1DJoo59VUK99ruKmrJnSdgGlf5OjOHp".
I looked at how the encryption works for this, and although I may be mistaken, it appears to use reversible encryption with the contents of the "/data/salt8.php" file used as a fixed encryption/decryption key.
That implies that if a "hacker" was able to obtain a copy of both the "/data/salt8.php" file and the contents of the database, they could then bulk decrypt the plaintext email passwords for each user.
Is that the case, or have I misunderstood how the code works?
If it is the case, this makes it difficult for me to use the product, as we have a fairly strict policy that it must not be possible to decrypt passwords by stealing all the "data at rest" from a server. Obviously the code needs the plaintext IMAP password to access mail, but the usual to do this would be for the password to be saved not just with fixed server key encryption, but to rely on both a server key and a key that's part of the browser cookie sent with each request. That way, the password cannot be stolen even if you steal all the server's data, because you don't know the browser's secret part.
Again, I may have misunderstood how it works, though. Any details on the security of the password storage on the server would be appreciated. Thanks!
|
| Back to Top |
|
| |
Igor
AfterLogic Support
Joined: 24 June 2008
Location: United States
Online Status: Offline
Posts: 6038
|
| Posted: 22 November 2019 at 12:44am | IP Logged
|
|
|
Hello,
I believe you've understood the idea of current implementation correctly. While the idea with using browser cookies for enhanced security sounds appealing, the problem with implementing that is use of WebMail isn't limited to web browser, it's also used via API - for instance, for use in mobile applications where cookies don't exist. Mobile sync, implemented via DAV, relies on passwords stored in the database as well. Hence, unified approach for storing passwords is required.
If you only need a web-browser access to WebMail, we could implement that for you in terms of custom development contract. Please let us know if you might be interested.
--
Regards,
Igor, Afterlogic Support
|
| Back to Top |
|
| |
tigertech
Newbie
Joined: 21 November 2019
Online Status: Offline
Posts: 23
|
| Posted: 22 November 2019 at 8:42am | IP Logged
|
|
|
Igor wrote:
Hello,
I believe you've understood the idea of current implementation correctly. While the idea with using browser cookies for enhanced security sounds appealing, the problem with implementing that is use of WebMail isn't limited to web browser, it's also used via API - for instance, for use in mobile applications where cookies don't exist. Mobile sync, implemented via DAV, relies on passwords stored in the database as well. Hence, unified approach for storing passwords is required. |
|
|
Thanks for the quick response – – that makes sense. I'll consider whether I can supply my own patch for this, and will share it if so.
|
| Back to Top |
|
| |
fl1tz_AL
Newbie
Joined: 09 December 2019
Location: Germany
Online Status: Offline
Posts: 11
|
| Posted: 09 December 2019 at 2:19pm | IP Logged
|
|
|
Hello tigertech,
I am curious and looking forward to a possible solution.
|
| Back to Top |
|
| |
MailBee.NET Objects 
MailBee.NET Queue 
MailBee Objects 
WebMail Pro PHP 
AfterLogic Aurora 
MailSuite Pro for Linux 
Unified Messaging Solution 
Search
Register
Login
Topic: Security of saved passwords in database
Privacy policy |
Refund policy