How to increase retention days for all Emails

Rajesh reporter

Hi Janos,

We have hosted piler 1.3.5 build 997 on Ubuntu 16.04

Recently Vulnerability and penetration test was carried out on piler app.

The following observations was made:

1.Security Misconfiguration - Password with autocomplete enabled. The browser is able to store the user credentials.

Please suggest How to disable autocomplete off in piler application

2.Security Misconfiguration - Parameter Tampering

Issue Description:This attack can be performed by a malicious user who wants to exploit the application for their own benefit, or anattacker who wishes to attack a third person using a Man-in-the-middle attack.Parameter should be validated before processing based on the user/role/data mapping. Unvalidated HTTPparameter leads to exposing unintended functionalities/data to the unauthorized users. And, to delete the recordswhich is created by another user.

Fix Recommendation:

Restrict the functionality based on the user/role.Validate the access on every request based on the user/role/data.

please find the screenshots,(piler1,2,3.png)

Sensitive Data Exposure - Clear-text Submission of Password

Issue Description:Password is being sent in cleartext which can be intercepted by attacker (using MITM attack).By intercepting the traffic between the client and server attacker can capture the clear-text password and uses itfor launch further attack.Fix Recommendation:

Enable HTTPS with secure SSL/TLS configuration

Encrypt the password.

We have already enabled https for the url , but the auditor suggested to encrypt the password entered in login form.

Please suggest how to encrypt the password

Thanks in advance

2021-04-01T06:30:16+00:00

Comments (3)

Janos SUTO repo owner
After you restart piler the new 7300 day retention will affect new incoming emails only. To fix the already archived emails, run the following sql query:
```
update metadata set retained=sent+630720000;
```
‌
- 2020-06-27T17:15:18+00:00
Janos SUTO repo owner
- changed status to closed
- 2020-06-27T17:15:24+00:00
Rajesh reporter
Hi Janos,

We have hosted piler 1.3.5 build 997 on Ubuntu 16.04

Recently Vulnerability and penetration test was carried out on piler app.

The following observations was made:

1.Security Misconfiguration - Password with autocomplete enabled. The browser is able to store the user credentials.

Please suggest How to disable autocomplete off in piler application

2.Security Misconfiguration - Parameter Tampering

Issue Description:This attack can be performed by a malicious user who wants to exploit the application for their own benefit, or anattacker who wishes to attack a third person using a Man-in-the-middle attack.Parameter should be validated before processing based on the user/role/data mapping. Unvalidated HTTPparameter leads to exposing unintended functionalities/data to the unauthorized users. And, to delete the recordswhich is created by another user.

Fix Recommendation:

Restrict the functionality based on the user/role.Validate the access on every request based on the user/role/data.

please find the screenshots,(piler1,2,3.png)
1. Sensitive Data Exposure - Clear-text Submission of Password
Issue Description:Password is being sent in cleartext which can be intercepted by attacker (using MITM attack).By intercepting the traffic between the client and server attacker can capture the clear-text password and uses itfor launch further attack.Fix Recommendation:

Enable HTTPS with secure SSL/TLS configuration

Encrypt the password.

We have already enabled https for the url , but the auditor suggested to encrypt the password entered in login form.

Please suggest how to encrypt the password

Thanks in advance
- 2021-04-01T06:30:16+00:00
Log in to comment