! Please note that this is a snapshot of our old Bugzilla server, which is read only since May 29, 2020. Please go to gitlab.xfce.org for our new server !
zimagez unsafe login, I call it screenshooter-bleed
Status:
RESOLVED: INVALID
Priority:
Medium
Severity:
major
Product:
Xfce4-screenshooter
Component:
General

Comments

Description OPTIONAL 2017-03-24 12:45:26 CET 
Hello,

I just came across this line in [screenshooter-zimagez.c](https://git.xfce.org/apps/xfce4-screenshooter/tree/lib/screenshooter-zimagez.c):

xmlrpcLogin: Takes the user name and the password (encrypted using rot13 and
   reversed using g_strrev.

I hope my problem with this is obvious! The opening bracket before "encrypted" is never closed! How do you people sleep at night, leaving brackets unclosed?!

But seriously... The password is sent via plain HTTP rot13-reversed. For people that use the same password multiple times, this is pretty uncool!

I think it would be better to remove zimagez from this program. The API seems incredibly crappy anyways.
One example would be: If you use any character outside [A-z0-9] in a password (like "{"), it doesn't work anymore :D. Guess that is another weakpoint of Rot13.
Comment 1 Andre Miranda editbugs 2018-04-28 23:47:57 CEST 
Closing this bug since Zimagez is no more, I removed support to it (in master, to be released).
For more details, see bug #14283.

Bug #13457

Reported by:
OPTIONAL
Reported on: 2017-03-24
Last modified on: 2018-04-28

People

Assignee:
Jérôme Guelfucci
CC List:
1 user

Version

Version:
unspecified
Target Milestone:
---

Attachments

Additional information