Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Eudora Logging

From: "Deus, Attonbitus" <Thor () HammerofGod com>
Date: Thu, 25 Apr 2002 07:16:03 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Greetings:

This is not an advisory- there is no exploit, but I think it a valuable 
piece of information for Eudora users.  I'm glad Vuln-dev exists as a forum 
for this kind of stuff...

The Eudora help file tells us about the Debug tag, where we may place 
parameters such as LogLevel.  A setting of LogLevel=127, for instance, will 
cause Eurdora to write a verbose log of all incoming and outgoing 
events.  This includes usernames, password, and full text of all incoming 
and outgoing messages.  You can also set Eudora to write the .log file to 
and .old file at a certain size and begin a new .log file.  You may also 
specify the name of the log file.

It is actually a pretty cool tool to use to debug problems (as it shows all 
the client/server communications), but I don't like the fact that the 
client software never tells you that this logging is taking place.  Anyone 
with access to the .ini file, locally or remotely, can write these entries 
to Eudora's configuration.  As many corporations use Eudora as a more 
'secure' alternative to OE, there is a concern that shared systems or 
admins will be able to trivially capture all messaging for any user.

I am fully aware that SMTP and POP3 are clear-text protocols, and that an 
admin (or anyone with physical access) could install keyboard loggers, 
sniffers, etc.  However, even when SSL is used to encrypt the SMTP and POP3 
channels, this log file still writes everything in clear text.

I have been using Eudora for a while, and require SSL for all 
communications to/from the server-- I was unaware that this setting 
existed.  When I found out how easy it was to log everything even with 
these conditions, it concerned me- that is why I post this here, so that 
users of Eudora, particularly in corporate environments, would at least get 
a heads-up that this configuration parameter exists, and to take that into 
consideration when securing your installations.

I sent an email to the Eudora dev team asking them to simply notify the 
user somewhere in the GUI that logging is enabled, but have not heard back 
from them.  I hope this information is of value to some.

Cheers,

AD










-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPMgPoohsmyD15h5gEQIOIwCdFnMZCpYMIvRlGc3vtKy+ClKwEDYAn0b9
SnSFoOp8c+fN9IWwNXEGiIqd
=e5aZ
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: