Project

General

Profile

Bug #322

STARTTLS can be stripped and Sylpheed will proceed in plaintext leaking the user credentials.

Added by Damian Poddebniak over 1 year ago. Updated 3 days ago.

Status:
New
Priority:
High
Assignee:
-
Category:
Security
Target version:
Start date:
05/30/2020
Due date:
% Done:

0%

Estimated time:

Description

Configure an IMAP server such that Sylpheed can connect via STARTTLS. When an attacker strips the STARTTLS capability from the server greeting and the response to the capability command, Sylpheed will not issue the STARTTLS command anymore and proceed with the login in plaintext.

#1

Updated by Damian Poddebniak 8 months ago

As this issue has not been assigned for over 8 months, I wondered if this is recognized as a security issue?

#2

Updated by Bogisich Gaston 6 months ago

Damian Poddebniak wrote:

As this issue has not been assigned for over 8 months, I wondered if this is recognized as a security issue?

I am also facing exact same issue. Is your issue resloved? any recommendation how to solve this issue.? Can any one please help?

https://www.myfordbenefits.us/

#3

Updated by john bond 3 days ago

Interesting topic for a blog. I have been searching the Internet for fun and came upon your website. Fabulous post. Thanks a ton for sharing your knowledge! It is great to see that some people still put in an effort into managing their websites. I'll be sure to check back again real soon.
https://abbicare.com.au/
https://www.miningbusiness.net/
https://getweightfast.com

Also available in: Atom PDF