Hi, I’d like to document a possible info leak.
When you enter the admin panel in a Mail-in-a-box server without being authorized, you can choose any item from the menu and it would show up for about half a second before the web page asks for your credentials.
Is this normal behavior?
Here there is a PR still waiting to be merged into master.
@JoshData have you plans to check it, accept it and merge it soon?
i can confirm this behaviour.
one can even click on a menu item to see some details of it – if one is fast enough.
I reported this a couple years ago - It is not actually reporting or displaying sensitive information AFAIK. It’s either placeholder data or looks like it’s displaying user data, but nothing is actually there. I’d also like to point out that I was only able to replicate this issue on a computer that was previously signed into the admin panel before. New computers don’t have this problem AFAIK.
The information that you can see is the same HTML template in Mail-in-a-Box’s open source GitHub repository. Information specific to the box isn’t transmitted from the server to the browser until after login. I designed it this way so the control panel would be fast. But it’s caused confusion.
I’ve seen the PR to change this behavior but I can’t promise that I’ll have time to review it in the near future since this is essentially a cosmetic issue. (I completely agree with changing it, but it takes time to review things to make sure it’s an improvement.)