REPORTING BUG

Ethan Blanton elb at pidgin.im
Wed Jun 24 21:19:09 EDT 2015


Deep-Hack spake unto us the following wisdom:
> This is Deepali Malekar , Security Researcher. I have found a bug on your
> site that i would like to share with you. This bug is related Credentials
> are in clear text and it may be harm for your users credentials.
> 
> Vulnerability: Clear Text Credential
> Vulnerable Link:
> https://pidgin.im/cgi-bin/mailman/private/cabal/attachments/20070320/0e2f8078/
> Parameter: username and password

1) Nobody does this with accounts with any privilege.
2) Mailing lists routinely MAIL PEOPLE THEIR PASSWORDS.
3) This is standard mailman, I hope you're not trolling through
   everyone on the Internet who uses mailman.

> Generally all big company provide reward for security researcher so i am
> also hopping same from your end in good faith.

We're not a company, we don't have any money, and this isn't a
vulnerability that a sophisticated security researcher would report.
I appreciate that you're trying to learn about network security, but
you need to learn about the specific tools you're testing as well as
the possible ways they can be insecure.  (E.g., in this case, what
mailman is and how it's generally used.)

Good luck with your studies,
Ethan


More information about the security mailing list