[Tickets #1022] NEW: Collapsing Horde sidebar results in empty cookie

bugs at bugs.horde.org bugs at bugs.horde.org
Mon Dec 27 07:08:31 PST 2004 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/?id=1022
-----------------------------------------------------------------------
 Ticket     | 1022
 Created By | peter at prwdot.org
 Summary    | Collapsing Horde sidebar results in empty cookie
 Queue      | Horde Base
 Version    | 3.0
 State      | Unconfirmed
 Priority   | 2. Medium
 Type       | Bug
 Owners     | 
-----------------------------------------------------------------------


peter at prwdot.org (2004-12-27 07:08) wrote:

Summary:

After having expanded several nodes in the Horde sidebar, collapsing all of
them causes an empty cookie to be sent to the browser. Server-side software
such as the Apache mod_security module might detect this as an exploit of
some sort, as seen in the mod_security audit report below:

========================================
Request: x.x.x.x - - [27/Dec/2004:09:42:27 --0500] "GET
/services/portal/sidebar.php?httpclient=1 HTTP/1.1" 403 229
Handler: application/x-httpd-php
----------------------------------------
GET /services/portal/sidebar.php?httpclient=1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://horde.prwdot.org/services/portal/sidebar.php
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.0.3705; .NET CLR 1.1.4322)
Host: x.y.z
Connection: Keep-Alive
Cookie: Horde=xxxxxxxxxxxxxxxxxxxxx; auth_key=xxxxxxxxxxxxxxxxxxxx;
imp_key=xxxxxxxxxxxxxxxxx; horde_menu_expanded=
mod_security-message: Invalid cookie format: Cookie value is missing #2
mod_security-action: 403

HTTP/1.1 403 Forbidden
Content-Length: 229
Keep-Alive: timeout=30, max=59
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
---------------------

As seen in the above report, the horde_menu_expanded cookie is empty. In
this particular mod_security configuration, mod_security generates an error
403 denied.

A browser-side workaround is to simply re-expand one or more Horde menus,
thus sending back a non-empty horde_menu_expanded cookie.

For a server-side code fix, perhaps change Horde_Tree.prototype._setCookie
in horde/templates/javascript/tree.js so that an empty cookie will not be
set in the browser, or so that it would set the cookie to expire in the
past, thus removing the empty cookie at the browser's earliest convenience.
I'm sure there is some other good way to get around this issue.

More information about the bugs mailing list