[horde] Potential Security Risk in specific Configuration
Chuck Hagenbuch
chuck at horde.org
Sun Apr 22 04:09:23 UTC 2007
Quoting Markus Petzsch <m.petzsch at net-hoster.de>:
> Now to my problem. I'm in a multiserver envoirment where users create
> own domains and email accounts by a Control Panel (VHCS). Some users
> have access to so called reseller priviledges so they can create own
> domains without providing prove that they own it or it actually
> delegates to their server. All those servers use a central Horde login,
> which identifys the users by IMP IMAP login functionallity. The Server
> is choosen from a dropdown box upon login. Now the security problem: If
> an identicall user account exists on two servers they share same
> settings, kallendar data, notes and adressbook. This is because the
> object user is only described by their emailadress. On the other hand
> merging servername*username to a unique username would bring problems in
> the kallendar or notes sharing among different users. Either way the
> current state is not acceptable for me. Hope you can help me.
What do you mean that including the servername would cause
calendar/notes sharing problems?
Your particular problem is exactly what the "realms" feature in IMP is
for - user data is stored with their full user at domain.com name based
on what email server they log in to.
-chuck
More information about the horde
mailing list