[horde] Security hole?

Michael M Slusarz slusarz at horde.org
Wed May 3 12:06:54 PDT 2006


Quoting myhorde at nbiss.com:

> This invading IP had a lot of sequential activity and every time it was
> a valid HTTP response from my side.
>
> I will provide more details later.
>
> Thanks
>
> Quoting Michael M Slusarz <slusarz at horde.org>:
>
>> Quoting myhorde at nbiss.com:
>>
>>> This came from the outside user and I don't have any.
>>> There was also a lot of other stuff from the same IP.
>>> My question is :  is it possible to send this URL directly and receive
>>> a valid response without having valid session?
>>
>> No.  in the case you gave, horde/services/download/index.php calls   
>>  imp/view.php which calls imp/lib/base.php which is where we do    
>> authentication.

Of course it would receive a valid HTTP response - since Horde/IMP  
would send back a login page w/message that the user's session is  
expired any time that URL would be accessed.

michael

___________________________________
Michael Slusarz [slusarz at horde.org]


More information about the horde mailing list