Tickets :: [#1883] Insecure: sensitive data in login screen

6.0.0-beta1

7/31/25

Summary	Insecure: sensitive data in login screen
Queue	IMP
Queue Version	4.0.3
Type	Enhancement
State	Resolved
Priority	3. High
Owners	slusarz (at) horde (dot) org
Requester	ben.sommer (at) enc (dot) edu
Created	04/28/2005 (7399 days ago)
Due
Updated	05/28/2005 (7369 days ago)
Assigned
Resolved	05/28/2005 (7369 days ago)
Milestone	4.0.4
Patch	No

05/28/2005 05:49:03 AM	Michael Slusarz	State ⇒ Resolved

05/16/2005 04:32:46 PM	Chuck Hagenbuch	Assigned to Michael Slusarz Taken from Horde Developers

05/16/2005 05:03:00 AM	Michael Slusarz	Comment #2 State ⇒ Feedback	Reply to this comment
Implemented in HEAD. Since it touches some fairly critical code, I want to run this for a week or two in head to make sure these changes are all good.

04/29/2005 03:31:41 AM	Chuck Hagenbuch	Assigned to Horde Developers State ⇒ Accepted

04/28/2005 02:39:56 PM	ben (dot) sommer (at) enc (dot) edu	Comment #1 State ⇒ New Priority ⇒ 3. High Type ⇒ Enhancement Summary ⇒ Insecure: sensitive data in login screen Queue ⇒ IMP	Reply to this comment
In 'imp/templates/login/login.inc' there are several hidden form fields that expose potentially sensitive network information - including the private IP address of the mail server, TCP port number, mail protocol, and whether TLS is on or off. There's no need for this data to be sent to clients, other than for programmers' convenience. <snip> <input type="hidden" name="server" value="10.100.0.23" /> <input type="hidden" name="port" value="143" /> <input type="hidden" name="namespace" value="INBOX." /> <input type="hidden" name="maildomain" value="enc.edu" /> <input type="hidden" name="protocol" value="imap/notls" /> </snip>