Smartermail Version 16.X - username and password exploit

Problem reported by Jade D - 12/14/2017 at 12:24 AM

Not A Problem

For SmarterTools Security team - ticket 28A-21C4E234-0058

For the community - ensure that your webmail interface redirects to https ASAP.

There is an issue with Smartermail 16 that allows for credentials to be sent via plain text (unencrypted) - exposing usernames and passwords.

Jade

https://absolutehosting.co.za

4 Replies

Reply to Thread

Tim Uzzanti Replied

12/14/2017 at 2:19 PM

Employee Post

Jade,

It is not uncommon. It is how almost all products POST to API's and require / demand HTTPS!

No customer should run a mail server without HTTPS enabled and required!

Also, most synchronization protocols for mail used over the Internet are the same way. It is for that reason HTTPS / TLS etc. should be enabled.

Tim

Tim Uzzanti CEO SmarterTools Inc. (877) 357-6278 www.smartertools.com

echoDreamz Replied

12/14/2017 at 2:37 PM

Yep - We have rewrite rules for our common hostnames that automatically redirect to HTTPS when used.

Jade D Replied

12/14/2017 at 2:58 PM

Tim

When will Smartertools resolve the issue?

Stating that one needs to utilize SSL / TLS because a portion of your code posts usernames and passwords in plain text is not a fix at all.

Jade https://absolutehosting.co.za

Jade D Replied

12/14/2017 at 3:13 PM

A sample where credentials are sent via plain text, you should consider the following
http://restcookbook.com/Basics/loggingin/

Jade https://absolutehosting.co.za

Back to Community Threads

Please leave this box unchecked

4 Replies

Reply to Thread

Tags

Related Knowledge Base Articles