STARTTLS can be stripped and Sylpheed will proceed in plaintext leaking the user credentials.
Configure an IMAP server such that Sylpheed can connect via STARTTLS. When an attacker strips the STARTTLS capability from the server greeting and the response to the capability command, Sylpheed will not issue the STARTTLS command anymore and proceed with the login in plaintext.
Updated by Bogisich Gaston 10 months ago
Damian Poddebniak wrote:
As this issue has not been assigned for over 8 months, I wondered if this is recognized as a security issue?
I am also facing exact same issue. Is your issue resloved? any recommendation how to solve this issue.? Can any one please help?
Interesting topic for a blog. I have been searching the Internet for fun and came upon your website. Fabulous post. Thanks a ton for sharing your knowledge! It is great to see that some people still put in an effort into managing their websites. I'll be sure to check back again real soon.