[horde] Security hole?
Michael M Slusarz
slusarz at horde.org
Wed May 3 12:06:54 PDT 2006
Quoting myhorde at nbiss.com:
> This invading IP had a lot of sequential activity and every time it was
> a valid HTTP response from my side.
>
> I will provide more details later.
>
> Thanks
>
> Quoting Michael M Slusarz <slusarz at horde.org>:
>
>> Quoting myhorde at nbiss.com:
>>
>>> This came from the outside user and I don't have any.
>>> There was also a lot of other stuff from the same IP.
>>> My question is : is it possible to send this URL directly and receive
>>> a valid response without having valid session?
>>
>> No. in the case you gave, horde/services/download/index.php calls
>> imp/view.php which calls imp/lib/base.php which is where we do
>> authentication.
Of course it would receive a valid HTTP response - since Horde/IMP
would send back a login page w/message that the user's session is
expired any time that URL would be accessed.
michael
___________________________________
Michael Slusarz [slusarz at horde.org]
More information about the horde
mailing list