487882 2024-06-01 12:58:05 +0000 plaintext HTTP request in kmail-account-wizard 2024-06-03 11:43:40 +0000 1 1 2 Applications kmail2 general 5.24.4 unspecified Unspecified RESOLVED FIXED NOR major --- 0 beardwen pim-bugs-null montel https://invent.kde.org/pim/kmail-account-wizard/-/commit/9784f5ab41c3aff435d4a88afb25585180a62ee4 6.2.0 0 oldest_to_newest 2323822 0 beardwen 2024-06-01 12:58:05 +0000 Summary: Send a plain HTTP request (https://github.com/KDE/kmail-account-wizard/blob/master/src/ispdbservice.cpp#L29) to retrieve the mail server's configuration file in the K-mail account wizard. May result: Consider an attack scenario in which the attacker and the victim are both located in a coffee shop, sharing the same Wi-Fi network. The attacker can tamper with any content transmitted over the plaintext connection. For example, specify the target mail server as an attacker-controlled server. If it is deliberate not to implement HTTPS, what is the reason for doing so? 2324059 1 montel 2024-06-03 05:26:06 +0000 see https://wiki.mozilla.org/Thunderbird:Autoconfiguration 2324106 2 beardwen 2024-06-03 09:17:26 +0000 (In reply to Laurent Montel from comment #1) > see https://wiki.mozilla.org/Thunderbird:Autoconfiguration Thank you for your reply. However, for a more secure implementation, Kmail should at least try https first and fall back to http requests in case it can't retrieve the configuration file successfully. Also, the latest specification and discussion of autoconfiguration are referenced in: - https://datatracker.ietf.org/doc/draft-bucksch-autoconfig/00/ 2324139 3 montel 2024-06-03 11:43:40 +0000 Git commit 9784f5ab41c3aff435d4a88afb25585180a62ee4 by Laurent Montel. Committed on 03/06/2024 at 11:42. Pushed by mlaurent into branch 'master'. Fix bug 487882: plaintext HTTP request in kmail-account-wizard FIXED-IN: 6.2.0 M +7 -11 src/ispdbservice.cpp M +5 -3 src/ispdbservice.h https://invent.kde.org/pim/kmail-account-wizard/-/commit/9784f5ab41c3aff435d4a88afb25585180a62ee4