Package: dtc-common Version: 0.29.17-1 Severity: grave Tags: upstream security
dtc sends the password of new users to the webmaster: $mail_content = " Somebody tried to register an account. Here is the details of the new user: login: ".$_REQUEST["reqadm_login"]." pass: ".$_REQUEST["reqadm_pass"]." [...] mail($conf_webmaster_email_addr, "$conf_message_subject_header Somebody tried to register an account", $mail_content, $headers); (from client/new_account_form.php) This mail is not encrypted. I also don't see any reason why the webmaster should even know the password... Ansgar -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org