CVE-2008-4165

Name of the Vulnerable Software and Affected Versions Kolab Groupware Server version 1.0.0

Description The issue allows local administrators, and possibly remote attackers, to obtain cleartext passwords. This is because the admin/user/create user.php file in the affected software places a user password in an HTTP GET request. Attackers can read the ssl access log file or the referer string to obtain the passwords.

Recommendations For Kolab Groupware Server version 1.0.0, consider restricting access to the ssl access log file and avoiding the use of HTTP GET requests for sensitive information, such as user passwords, until a proper fix is available. As a temporary workaround, consider disabling the create user.php function to minimize the risk of exploitation.