MyBB Community Forums

Full Version: [B] SMTP Password Box
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
The SMTP password box in the admin configuration section shows the password in clear text. It shouldn't and is a security vulnerability.
This is not a security vulnerability. If you would like to make a suggestion to make the text area a password box, please make a suggestion in the appropriate forum.
Any password displayed in clear text is a security vulnerability, no matter how minor.
(2009-01-19, 11:04 PM)bobbit Wrote: [ -> ]Any password displayed in clear text is a security vulnerability, no matter how minor.

Not true. All I would have to do is look in the html source and see what it is. A password box doesn't help at all if you have even rookies knowledge in hacking.

Besides, you shouldn't be giving admin permissions to people you don't trust.
Well, security of a software isn't only about hackers. There is no need to hack anything if someone can just look over your shoulder to see your password. That's actually a worst case scenario... no matter how secure your software is, if someone can just see the password, there's nothing you can do.

The only point of password fields anywhere is to protect the password from people who are watching your screen (if you are in some place that offers little privacy). If no one could ever look at your screen, there would be no need to hide a password that you type, ever. Unfortunately not everyone can choose his workplace to be in a private office / room / whatever, so this soft security that prevents leaking passwords to onlookers is still necessary.

From that point of view, it's a security vulnerability. I suggest it be fixed since it's trivial to fix.
frostschutz Wrote:The only point of password fields anywhere is to protect the password from people who are watching your screen (if you are in some place that offers little privacy).

Yeh, I usually type my SMTP passwords when people are looking over my shoulder. Rolleyes Let alone around people who even know who I am or know what SMTP is.

It's perfectly fine for bobbit to post this as a suggestion but calling it a security vulnerability gives the illusion that it is a bigger issue then it actually is.

You don't see people reporting or google doing anything about YouTube's login page as a vulnerability, do you? Since it doesn't have ssl encryption, it's possible someone could do a man-in-the-middle attack. That's probably a higher risk then this report. I mean, my coworker could be logging all my internet traffic, including passwords, accounts, everything. I don't see that being reported.

Regardless, yes it can and will be changed to a password box in due time. In the mean time bobbit can post it as a suggestion if he wants to know when the change has been implemented.
If you really think that another thread is necessary for something as trivial as this... fine. I don't care anymore, if you don't want to improve your software then I won't be wasting my time in such a discussion anymore either. Don't know why I even bothered replying...
Wow, big deal over changing type="text" to type="password"...

As I said, it's a minor security vulnerability. I'm not moaning over MyBB's system not being up to NSA's standard of encryption, all I want is a four letter word changed to an 8 letter. However if you're going to do that 'in due time,' that's fine. :]
If your so worried about it, why dont you just edit it yourself?, would save a lot of hassel for yourself and the devs, and would only take less than a minute (not even that) to boot.
(2009-01-20, 02:08 PM)bobbit Wrote: [ -> ]Wow, big deal over changing type="text" to type="password"...

As I said, it's a minor security vulnerability. I'm not moaning over MyBB's system not being up to NSA's standard of encryption, all I want is a four letter word changed to an 8 letter. However if you're going to do that 'in due time,' that's fine. :]

If you looked at the settings code it's a bit more then a 4 character change.
Pages: 1 2