Clear text passwords publicly visible?

[netaddict]

I've just been doing some setting up of SupportSuite, finally, and noticed something that concerns me.

I have to run http://www.domain.com/helpdesk/cron/index.php?_t=parser to try to work out why emails weren't being fetched.

In doing that I noticed that the password for the pop3 box is showin in clear text as output. To me this is a security risk. Anyone who knows you are running Kayako can try this command and see the passwords to your pop3 box's (assuming your using pop3 and not pipe)

Example is shown below, passwords and domain blacked out.


I did have a issue where Kayako Support gave me a new cron_parser.php to use as I was getting the below error:
Thu Oct 16 04:05:02 2008] [error] [client 208.43.x.x] PHP Warning: file_exists() [function.file-exists]: open_basedir restriction in effect. File(./files/parser.lockfile) is not within the allowed path(s): (/var/www/vhosts/domain.net/httpdocs:/tmp) in /var/www/vhosts/domain.net/httpdocs/helpdesk/modules/parser/cron_parser.php on line 32

Since getting the update that error no longer occurs.

I've never noticed the plain text passwords before, have I configured something wrong or is this a issue with Kayako? If it is I'd say its a rather large one as it exposes what I'd call a security risk.

I'm also logging a support ticket about this however its atleast 24+ hours before support are open.

Thanks,
Dylan

[craigbrass]

Wow, thats bad. Are you running the latest version? If so, this needs developer attention ASAP.

Piping, as described in the manual, is one option for you.

Also, out of interest, why have you blanked your email address out?

[netaddict]

Running version 3.30.02 SupportSuite Stable.

I'd personally rather not use piping, rather have it come from POP3, more safer in my view in the event of any failure.

Blocked out the email address's for my protection, happy to provide the domain name etc via PM to any staff member. Also most would be able to see who I am from my email address and look up the ticket.

[Jamie Edwards]

Hi netaddict,

Please upload the attached file, replacing yours in (modules\parser\cron_parser.php).

I understand that our support staff updated cron_parser.php for you? Please let me know the related ticket ID so I can take a look.

[netaddict]

Updated the cron_parser.php file as you posted and it changed the output, no passwords

However now the error_log file is generating errors again as in the original post prior to updating it as supplied from support.

I've also PM'd you the ticket ID.

Thanks,
Dylan

[Jamie Edwards]

Hi Dylan,

Please see the attached file which should resolve this.

I am very sorry on behalf of our support technicians that you were given this debug file as a production file. I have contacted the people concerned, and make absolutely certain this isn't going to happen again.

[netaddict]

Thanks Jamie, looks to have fixed the issue.

I've added a referance to the ticket so support can close it.

[craigbrass]

Quote:

I've also PM'd you the ticket ID.

Ticket IDs are find to post here on the forum directly.

[Jamie Edwards]

Quote:

Originally Posted by craigbrass

Ticket IDs are find to post here on the forum directly.

And they are fine in a PM to Kayako staff as well

[craigbrass]

Indeed, but with what I suggested being quicker to do. Just making observations.

[bear]

Quote:

Originally Posted by craigbrass

Indeed, but with what I suggested being quicker to do. Just making observations.

Takes the same amount of time to PM as to post, so it makes little difference.