Was: SMTP server password not properly protected from view in configure
With the new very nice feature for SMTP authentication one thing has been overlooked.
Often configure is open for view in many new TWiki installations. Many will find out how to protect it by setting up additional protection in the .htaccess or httpd.conf files. But by default anyone can see configure but they cannot alter anything without knowing the special configure password that the admin defines the first time he runs configure.
The {SMTP}{Password} field is not in anyway protected from viewing.
This password is for many users the ISP password. So giving this way opens the smtp server for spam and it allows anyone to log in to the POP3 account at the ISP and read the private emails.
We need to make the {SMTP}{Password} a write only field. Noone should be able to read the password from configure.
KJL
No, I didn't overlook it. The doc reccomends making configure accessible only to selected users. It would be neat to provide the facility for hidden fields, but that isn't in
configure
yet. So I'm changing the headline here to that. I can accept it's a requirement, but it's not a release blocker so I'm reducing to normal.
CC
The doc recommends...
We are luring our users into a trap. And the SMTP password is normally also your POP3 and web site password. It is serious to expose this.
A new admin installing TWiki for the first time will have his focus on many other things than setting up tight security on the configure script.
You should have taken care of this before adding the feature. I think you are taking people security a bit lightly just to press out 4.0.3.
KJL
At first I just saved it keeping normal
But then Peter said.
[20:49] <PeterThoeny> kenneth, security *is* important, i suggest to put it back to urgent
So here we begin the special sport called Bugs-Ping-Pong again.
KJL
Dammed. The type PASSWORD was actually already implemented.
And it works. I changed the SMTP password type to PASSWORD. And I tried to change is back and forth. I tried to clear it. I could not find anything wrong with that feature.
So I decided to check it into TWiki4.
The configure updates are not implemented in DEVELOP yet for some reason!
So I downgrade to normal so this is no longer a 4.0.3 release blocker.
KJL
Merged in Svens configure updates to configure (the part that handles the PASSWORD type) and fixed the TWiki.cfg issue also in DEVELOP. Ready for release.
Thanks Sven for making this so easy to fix. You must have a good crystal ball knowing that we would need that code later
KJL