Vigil@nce - Evolution: no TLS encryption of Sent
September 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When the directory of sent messages is stored on a remote server,
the session is not encrypted by Evolution, even if the
configuration requests it.
Severity: 1/4
Creation date: 12/09/2011
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The Evolution program is a messaging client. It can access to a
remote IMAP mailbox through a TLS encrypted session.
The directory of sent messages can be stored locally, or on the
remote IMAP server. However, the session which stores sent
messages is never encrypted by TLS. An attacker can therefore
capture emails, or obtain the password used to connect to the IMAP
server.
When the directory of sent messages is stored on a remote server,
the session is therefore not encrypted by Evolution, even if the
configuration requests it.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Evolution-no-TLS-encryption-of-Sent-10979