[Tickets #7931] Re: Left Logout button throws "malicious request"

bugs at horde.org bugs at horde.org
Mon Mar 23 13:36:53 UTC 2009 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/7931
------------------------------------------------------------------------------
  Ticket             | 7931
  Updated By         | bhalsema at purdue.edu
  Summary            | Left Logout button throws "malicious request"
  Queue              | Horde Groupware Webmail Edition
  Version            | 1.2.2
  Type               | Bug
  State              | No Feedback
  Priority           | 1. Low
  Milestone          |
  Patch              |
  Owners             |
------------------------------------------------------------------------------


bhalsema at purdue.edu (2009-03-23 09:36) wrote:

Installed Software
--------------------------
* RHEL5 RPM Installations
   Apache 2.2
   PHP v5.1.6
   MySQL 5.0.45

* Horde Groupware Webmail Edition (version 1.2.2)
   http://ftp.horde.org/pub/horde-webmail/horde-webmail-1.2.2.tar.gz

* Memcached (version 1.2.6)
   http://www.danga.com/memcached/download.bml

* Memcache PHP Module (version 2.2.5)
   http://pecl.php.net/package/memcache


Configuration
--------------------
* Database => MySQL
* Authentication => imp
* Session Handler => Default PHP Session Handler

* /etc/php.ini
   Using the default /etc/php.ini file with the recommended additional or
   modified lines to support the Memcache Session Handler.

   [NOTE: Many of these settings are quite short in order to test behavior.]

   extension=memcache.so
   session.save_handler = memcache
   session.save_path = "tcp://localhost:11211"
   session.use_cookies = 1
   session.use_only_cookies = 1
   session.name = PHPSESSID
   session.auto_start = 0
   session.cookie_lifetime = 300
   session.gc_probability = 1
   session.gc_divisor = 1
   session.gc_maxlifetime = 122

   expose_php = Off
   display_errors = Off            (default)
   log_errors = On                 (default)
   register_globals = Off          (default)

* /etc/php.d/memcache.ini
   memcache.allow_failover = 1
   memcache.max_failover_attempts = 20
   memcache.chunk_size = 8192
   memcache.default_port = 11211
   memcache.hash_strategy = standard
   memcache.hash_function = crc32

* I am currently running the Memcached daemon in the foreground, so that I
   could better understand see the dialogue between the application and
   the server.

Problem
------------
* Thus far, everything seems to work until I attempt to log out.
* If I click on an application in the sidebar and then click on the "Log out"
   icon at the top of the frame, log out is successful.  The displayed URL is:

https://hostname/imp/login.php?horde_logout_token=<tokenstring>=horde&logout_reason=logout

* If I click on the "Log out" in the side bar, I receive the error:

         We cannot verify that this request was really sent by you. It could
         be a malicious request. If you intended to perform this action,
         you can retry it now.

   The displayed URL is:

https://hostname/login.php?horde_logout_token=<tokenstring>=horde&logout_reason=logout

   However, if I modify the URL and change it to (Please, notice the only
   change being the addition of "imp" to the URL):

https://hostname/imp/login.php?horde_logout_token=<tokenstring>=horde&logout_reason=logout

   , it then successfully logs out.


* I have tracked down the code which is responsible for the error.  It is
   located in the 'checkRequestToken' function in the file,
   <Horde root directory>/lib/Horde.php

--------------------------------------------
function checkRequestToken($slug, $token)
     {
         if (empty($_SESSION['horde_form_secrets'][$token])) {
             return PEAR::raiseError(_("We cannot verify that this  
request was really sent by you. It could be a malicious request. If  
you intended to perform this action, you can retry it now."));
         }

         if (($_SESSION['horde_form_secrets'][$token] +  
$GLOBALS['conf']['urls']['token_lifetime'] * 60) < time()) {
             return PEAR::raiseError(sprintf(_("This request cannot be  
completed because the link you followed or the form you submitted was  
only valid for %s minutes. Please try again now."),  
$GLOBALS['conf']['urls']['token_lifetime']));
         }

         return true;
     }
--------------------------------------------

* When I used the Horde Memcache Session Handler, all "Log outs" (icon
   and sidebar) worked.  However, the Horde Memcache Session Handler does
   not include an expiration on the session in the communication with
   the Memcached daemon, which is something we require.

More information about the bugs mailing list