Smartermail Version 16.X - username and password exploit
Problem reported by Jade Benson - December 14, 2017 at 12:24 AM
Not A Problem
For SmarterTools Security team - ticket 28A-21C4E234-0058
 
For the community - ensure that your webmail interface redirects to https ASAP.
There is an issue with Smartermail 16 that allows for credentials to be sent via plain text (unencrypted) - exposing usernames and passwords.
 
 

4 Replies

Reply to Thread
1
Tim Uzzanti Replied
Employee Post
Jade,
 
It is not uncommon.  It is how almost all products POST to API's and require / demand HTTPS!
 
 
No customer should run a mail server without HTTPS enabled and required!
 
Also, most synchronization protocols for mail used over the Internet are the same way.  It is for that reason HTTPS / TLS etc. should be enabled.
 
Tim
Tim Uzzanti
CEO
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
echoDreamz Replied
Yep - We have rewrite rules for our common hostnames that automatically redirect to HTTPS when used.

Christopher

0
Jade Benson Replied
Tim

When will Smartertools resolve the issue?

Stating that one needs to utilize SSL / TLS because a portion of your code posts usernames and passwords in plain text is not a fix at all.

0
Jade Benson Replied
A sample where credentials are sent via plain text, you should consider the following
http://restcookbook.com/Basics/loggingin/
 
SmarterMail Credentials leak

Reply to Thread