[horde] Clarification of "User is not authorized for imp"
lst_hoe02 at kwsoft.de
lst_hoe02 at kwsoft.de
Tue Jul 30 07:36:38 UTC 2013
Zitat von Michael M Slusarz <slusarz at horde.org>:
> Quoting Kareem Dana <kareem.dana at gmail.com>:
>
>> I just installed a fresh horde 5.1.2 and imp 6.1.3. Imp is configured to
>> handle authentication and imp connects to dovecot. If I directly go to the
>> url http://192.168.1.5/horde/imp, Horde redirects me to horde/login.php and
>> shows the standard login page, but it also throws up the following well
>> known error in the logs:
>>
>> Jul 28 20:46:44 test1 HORDE: User is not authorized for imp [pid 21092 on
>> line 267 of "/usr/local/share/pear/Horde/Registry.php"]
>
> And this is correct. DON'T do this. There is a single login page
> for Horde. An access to any other page is an indication that a user
> is trying to access Horde services - so without proper
> authentication credentials set, this is obviously a potential
> security issue and needs to be logged (since there is no way to
> differentiate between a user "accidentally" visiting an permission
> protected page vs. an attacker scanning for vulnerabilities).
>
> michael
But it should be configurable at which level to log, no? It has a
potential for DoS because many clients use strange URLs at a high rate
in case of errors and logging this with a rate of some hundreds per
second isn't fun at all, especially if it is at EMERGANCY or the like.
We can not prevent stupid clients from accessing invalid URLs, but we
should be able to prevent that this will get a problem.
Regards
Andreas
More information about the horde
mailing list