[bugs] [Bug 1161] New - Security hole related to HTTP_REFERER
bugs at bugs.horde.org
bugs at bugs.horde.org
Wed Jan 29 16:03:27 PST 2003
http://bugs.horde.org/show_bug.cgi?id=1161
*** shadow/1161 Wed Jan 29 16:03:27 2003
--- shadow/1161.tmp.15813 Wed Jan 29 16:03:27 2003
***************
*** 0 ****
--- 1,31 ----
+ Bug#: 1161
+ Product: Horde
+ Version: 2.1 Unstable
+ Platform: Mozilla 5.x
+ OS/Version: other
+ Status: NEW
+ Resolution:
+ Severity: major
+ Priority: P2
+ Component: IMP
+ Area: BUILD
+ AssignedTo: chuck at horde.org
+ ReportedBy: jroberts at forumone.com
+ URL:
+ Summary: Security hole related to HTTP_REFERER
+
+ I came across this IMP hole when looking at my webserver access log. A user
+ visited my website by clicking a link in IMP. The HTTP_REFERER in the server
+ log is
+ http://mailserver.mydomain.com/horde/imp/message.php?Horde=2e84dc6e7706c1592cadb2c1cbf06be8&index=17147.
+ By loading this URL in my browser, I am able to instantly be logged in as the
+ user as long as I load the URL before the session timeout period.
+
+ I consider this to be a very critical error. Any evil sysadmin who finds a
+ very recent log line with a Horde/IMP HTTP_REFERER can instantly take over my
+ session and read / send email.
+
+ To test, send yourself a message which includes the URL
+ http://ndev.forumone.com/jkr/evilsite.php. Click the link to visit that page.
+ The HTTP_REFERER will be displayed. Copy that URL into a different browser (or
+ close your browser and re-open to end the session) and you will again be logged in.
More information about the bugs
mailing list