Details

    • Type: Bug
    • Status: Closed
    • Resolution: Fixed
    • Affects Version/s: 6.0.X EE, 6.1.0 CE RC1
    • Fix Version/s: 6.0.12 EE, 6.1.1 CE GA2
    • Labels:
      None
    • Environment:
      Tomcat 6.0.32 + MySQL 5. 6.0.x Revision 87114.
      Tomcat 6.0.32 + MySQL 5. 6.1.x Revision 87221.

      Description

      I tried the Mail portlet on my website and I had exceptions because of the Bug #12001.
      But I also had the following exception, with the password I use to connect to my mail server clearly viewable in the logs :

      /var/lib/tomcat6/logs/catalina.out:451881:17:42:48,878 ERROR [MailSynchronizationMessageListener:38] Unable to process message {destinationName=liferay/mail_synchronizer, responseDestinationName=null, responseId=null, payload=null, values={messagesPerPage=0, accountId=18166, userId=10169, command=synchronize, pageNumber=0, messageId=0, password=xxxxxxxx, folderId=0}}
      

      That's a huge security breach to me. You could replace the password by its MD5 hash, in order to have it safe and verifiable in the logs.

      How to reproduce :

      • Add a "Mail" portlet on one of your private page on your website
      • Add a mail account
      • Access to your Inbox and try to send a mail.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                7 years, 11 weeks, 6 days ago