[Tickets #15095] Horde allows unauthenticated usere

Mon Feb 14 07:33:19 UTC 2022

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: https://bugs.horde.org/ticket/15095
------------------------------------------------------------------------------
  Ticket             | 15095
  Created By         | horde_bugs at arpnet.net
  Summary            | Horde allows unauthenticated usere
  Queue              | Horde Groupware
  Version            | 5.2.22
  Type               | Bug
  State              | Unconfirmed
  Priority           | 3. High
  Milestone          |
  Patch              |
  Owners             |
------------------------------------------------------------------------------

horde_bugs at arpnet.net (2022-02-14 07:33) wrote:

I have a Horde install that on FreeBSD/Dovecot/postfix, it is supposed  
to authenticate users in a MySQL database. The users are added into  
the database with postfixadmin.
if a User was to log into Horde with a legitimate UserName and an  
incorrect password, Horde would let them through, allowing access to  
the Contact, Calendar etc but not mail. however, imp throws the error:  
User is not authorized for Mail (Host: ***.***.***.****). Also, if the  
legitimate username and wrong password is an admin, horde allows  
access to the Administration Configuration.

if the user enters the proper password, everything is fine and no errors.

Is this a bug or a misconfiguration? How do I resolve this?

<?php
/* CONFIG START. DO NOT CHANGE ANYTHING IN OR AFTER THIS LINE. */
$conf['vhosts'] = false;
$conf['debug_level'] = E_ALL & ~E_NOTICE;
$conf['max_exec_time'] = 0;
$conf['compress_pages'] = true;
$conf['secret_key'] = '**';
$conf['umask'] = 077;
$conf['testdisable'] = true;
$conf['use_ssl'] = 2;
$conf['server']['name'] = $_SERVER['SERVER_NAME'];
$conf['urls']['token_lifetime'] = 30;
$conf['urls']['hmac_lifetime'] = 30;
$conf['urls']['pretty'] = false;
$conf['safe_ips'] = array();
$conf['session']['name'] = 'Horde';
$conf['session']['use_only_cookies'] = true;
$conf['session']['timeout'] = 0;
$conf['session']['cache_limiter'] = 'nocache';
$conf['session']['max_time'] = 72000;
$conf['cookie']['domain'] = $_SERVER['SERVER_NAME'];
$conf['cookie']['path'] = '/';
$conf['sql']['username'] = '**';
$conf['sql']['password'] = '**';
$conf['sql']['hostspec'] = 'localhost';
$conf['sql']['port'] = 3306;
$conf['sql']['protocol'] = 'tcp';
$conf['sql']['database'] = 'horde';
$conf['sql']['charset'] = 'utf-8';
$conf['sql']['ssl'] = false;
$conf['sql']['splitread'] = false;
$conf['sql']['logqueries'] = false;
$conf['sql']['phptype'] = 'mysql';
$conf['nosql']['phptype'] = false;
$conf['ldap']['useldap'] = false;
$conf['auth']['admins'] = array('**');
$conf['auth']['checkip'] = true;
$conf['auth']['checkbrowser'] = true;
$conf['auth']['resetpassword'] = true;
$conf['auth']['alternate_login'] = false;
$conf['auth']['redirect_on_logout'] = false;
$conf['auth']['list_users'] = 'list';
$conf['auth']['params']['phptype'] = 'mysql';
$conf['auth']['params']['hostspec'] = 'localhost';
$conf['auth']['params']['protocol'] = 'tcp';
$conf['auth']['params']['username'] = 'postfix';
$conf['auth']['params']['password'] = '**';
$conf['auth']['params']['database'] = 'postfix';
$conf['auth']['params']['query_auth'] = 'SELECT password FROM mailbox  
WHERE username = \L';
$conf['auth']['params']['query_add'] = 'INSERT INTO mailbox (domain,  
username , password, home) VALUES ( SUBSTRING_INDEX(\L, \'@\', -1),  
\L, \P, \'/usr/local/virtual/SUBSTRING_INDEX(\L, \'@\', -1)/\L\')';
$conf['auth']['params']['query_getpw'] = 'SELECT password FROM mailbox  
WHERE username = \L';
$conf['auth']['params']['query_update'] = '';
$conf['auth']['params']['query_resetpassword'] = 'UPDATE mailbox SET  
password = \P WHERE username = \L AND password = \P';
$conf['auth']['params']['query_remove'] = 'DELETE FROM mailbox WHERE  
username = \L AND domain = SUBSTRING_INDEX(\L, \'@\', -1)';
$conf['auth']['params']['query_list'] = 'SELECT * FROM mailbox';
$conf['auth']['params']['query_exists'] = 'SELECT 1 FROM mailbox WHERE  
SUBSTRING_INDEX(\L, \'@\', 1) AND domain = SUBSTRING_INDEX(\L, \'@\',  
-1)';
$conf['auth']['params']['encryption'] = 'crypt-md5';
$conf['auth']['params']['show_encryption'] = true;
$conf['auth']['driver'] = 'customsql';
$conf['auth']['params']['count_bad_logins'] = true;
$conf['auth']['params']['login_block'] = true;
$conf['auth']['params']['login_block_count'] = 3;
$conf['auth']['params']['login_block_time'] = 15;
$conf['signup']['params']['driverconfig'] = 'horde';
$conf['signup']['driver'] = 'Sql';
$conf['signup']['email'] = '**';
$conf['signup']['approve'] = true;
$conf['signup']['allow'] = true;
$conf['log']['priority'] = 'INFO';
$conf['log']['ident'] = 'HORDE';
$conf['log']['name'] = LOG_USER;
$conf['log']['type'] = 'syslog';
$conf['log']['enabled'] = true;
$conf['log_accesskeys'] = false;
$conf['prefs']['maxsize'] = 65535;
$conf['prefs']['params']['driverconfig'] = 'horde';
$conf['prefs']['driver'] = 'Sql';
$conf['alarms']['params']['driverconfig'] = 'horde';
$conf['alarms']['params']['ttl'] = 300;
$conf['alarms']['driver'] = 'Sql';
$conf['group']['params']['driverconfig'] = 'horde';
$conf['group']['driver'] = 'Sql';
$conf['perms']['driverconfig'] = 'horde';
$conf['perms']['driver'] = 'Sql';
$conf['share']['no_sharing'] = false;
$conf['share']['auto_create'] = true;
$conf['share']['world'] = true;
$conf['share']['any_group'] = false;
$conf['share']['hidden'] = false;
$conf['share']['cache'] = false;
$conf['share']['driver'] = 'Sqlng';
$conf['cache']['default_lifetime'] = 86400;
$conf['cache']['params']['sub'] = 0;
$conf['cache']['driver'] = 'File';
$conf['cache']['use_memorycache'] = '';
$conf['cachecssparams']['url_version_param'] = true;
$conf['cachecss'] = false;
$conf['cachejsparams']['url_version_param'] = true;
$conf['cachejs'] = false;
$conf['cachethemes'] = false;
$conf['lock']['params']['driverconfig'] = 'horde';
$conf['lock']['driver'] = 'Sql';
$conf['token']['params']['driverconfig'] = 'horde';
$conf['token']['driver'] = 'Sql';
$conf['history']['params']['driverconfig'] = 'horde';
$conf['history']['driver'] = 'Sql';
$conf['davstorage']['params']['driverconfig'] = 'horde';
$conf['davstorage']['driver'] = 'Sql';
$conf['mailer']['params']['host'] = '**';
$conf['mailer']['params']['port'] = 25;
$conf['mailer']['params']['secure'] = 'tls';
$conf['mailer']['params']['localhost'] = '**';
$conf['mailer']['params']['auth'] = false;
$conf['mailer']['params']['lmtp'] = false;
$conf['mailer']['type'] = 'smtp';
$conf['vfs']['params']['driverconfig'] = 'horde';
$conf['vfs']['type'] = 'Sql';
$conf['sessionhandler']['type'] = 'Builtin';
$conf['sessionhandler']['hashtable'] = false;
$conf['spell']['params']['path'] = '/usr/local/bin/aspell';
$conf['spell']['driver'] = 'aspell';
$conf['gnupg']['path'] = '/usr/local/bin/gpg';
$conf['gnupg']['keyserver'] = array('pool.sks-keyservers.net',  
'subkeys.pgp.net', 'pgp.mit.edu');
$conf['gnupg']['timeout'] = 10;
$conf['nobase64_img'] = false;
$conf['image']['convert'] = '/usr/local/bin/convert';
$conf['image']['identify'] = '/usr/local/bin/identify';
$conf['image']['driver'] = 'Im';
$conf['exif']['driver'] = 'Bundled';
$conf['timezone']['location'] = 'ftp://ftp.iana.org/tz/tzdata-latest.tar.gz';
$conf['problems']['email'] = '**';
$conf['problems']['maildomain'] = '**';
$conf['problems']['tickets'] = false;
$conf['problems']['attachments'] = true;
$conf['menu']['links']['help'] = 'all';
$conf['menu']['links']['prefs'] = 'authenticated';
$conf['menu']['links']['problem'] = 'never';
$conf['menu']['links']['login'] = 'all';
$conf['menu']['links']['logout'] = 'authenticated';
$conf['portal']['fixed_blocks'] = array('horde:horde_Block_Cloud',  
'horde:horde_Block_Feed', 'horde:horde_Block_Iframe',  
'horde:horde_Block_Moon', 'horde:horde_Block_Sunrise',  
'horde:horde_Block_Time', 'horde:horde_Block_Vatid',  
'horde:horde_Block_Account', 'ingo:ingo_Block_Overview',  
'kronolith:kronolith_Block_Monthlist',  
'kronolith:kronolith_Block_Prevmonthlist',  
'kronolith:kronolith_Block_Summary',  
'kronolith:kronolith_Block_Month', 'mnemo:mnemo_Block_Summary',  
'mnemo:mnemo_Block_Note', 'nag:nag_Block_Summary',  
'trean:trean_Block_Mostclicked', 'trean:trean_Block_Bookmarks',  
'turba:turba_Block_Minisearch');
$conf['accounts']['driver'] = 'null';
$conf['user']['verify_from_addr'] = true;
$conf['user']['select_view'] = true;
$conf['facebook']['enabled'] = false;
$conf['twitter']['enabled'] = false;
$conf['urlshortener'] = false;
$conf['weather']['provider'] = false;
$conf['imap']['enabled'] = false;
$conf['imsp']['enabled'] = false;
$conf['kolab']['enabled'] = false;
$conf['hashtable']['driver'] = 'none';
$conf['activesync']['enabled'] = false;
/* CONFIG END. DO NOT CHANGE ANYTHING IN OR BEFORE THIS LINE. */

database tables:

+-----------------------+
| Tables_in_postfix     |
+-----------------------+
| admin                 |
| alias                 |
| alias_domain          |
| config                |
| domain                |
| domain_admins         |
| fetchmail             |
| log                   |
| mailbox               |
| quota                 |
| quota2                |
| vacation              |
| vacation_notification |
+-----------------------+
13 rows in set (0.00 sec)

+-----------------+--------------+------+-----+---------------------+-------+
| Field           | Type         | Null | Key | Default             | Extra |
+-----------------+--------------+------+-----+---------------------+-------+
| username        | varchar(255) | NO   | PRI | NULL                |       |
| password        | varchar(255) | NO   |     | NULL                |       |
| name            | varchar(255) | NO   |     | NULL                |       |
| maildir         | varchar(255) | NO   |     | NULL                |       |
| quota           | bigint(20)   | NO   |     | 0                   |       |
| local_part      | varchar(255) | NO   |     | NULL                |       |
| domain          | varchar(255) | NO   | MUL | NULL                |       |
| created         | datetime     | NO   |     | 2000-01-01 00:00:00 |       |
| modified        | datetime     | NO   |     | 2000-01-01 00:00:00 |       |
| active          | tinyint(1)   | NO   |     | 1                   |       |
| phone           | varchar(30)  | NO   |     |                     |       |
| email_other     | varchar(255) | NO   |     |                     |       |
| token           | varchar(255) | NO   |     |                     |       |
| token_validity  | datetime     | NO   |     | 2000-01-01 00:00:00 |       |
| password_expiry | datetime     | NO   |     | 2000-01-01 00:00:00 |       |
+-----------------+--------------+------+-----+---------------------+-------+
15 rows in set (0.00 sec)