Package: dtc-common Version: 0.29.17-1 Severity: grave Tags: upstream security
dtc sends the password of new users to the webmaster: $mail_content = " Somebody tried to register an account. Here is the details of the new user: login: ".$_REQUEST["reqadm_login"]." pass: ".$_REQUEST["reqadm_pass"]." [...] mail($conf_webmaster_email_addr, "$conf_message_subject_header Somebody tried to register an account", $mail_content, $headers); (from client/new_account_form.php) This mail is not encrypted. I also don't see any reason why the webmaster should even know the password... Ansgar _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
