It appears that both Horde and Roundcube leak username and password credentials by sending them base64 encoded with every POST.
97b08619867c34b35aec04024d165af4b305d0dd191b1b372d1902b28ac961e4
#####################################################################################
#
# Name : Horde & Roundcube password leak vulnerability
# Author : Xc0re Security Reasearch Group
# Homepage : http://www.xc0re.net
#
#####################################################################################
Description :
Webmail clients such as Horde & Round Cube leak their username and password in a fashion that with every post request they also send a base64 encoded username:password along with it! One can use a simple sniffer like ethreal and listen on a proxy or through arp spoofing and manually decrypt username and password !