[horde] Clarification of "User is not authorized for imp"

lst_hoe02 at kwsoft.de lst_hoe02 at kwsoft.de
Tue Jul 30 07:36:38 UTC 2013


Zitat von Michael M Slusarz <slusarz at horde.org>:

> Quoting Kareem Dana <kareem.dana at gmail.com>:
>
>> I just installed a fresh horde 5.1.2 and imp 6.1.3. Imp is configured to
>> handle authentication and imp connects to dovecot. If I directly go to the
>> url http://192.168.1.5/horde/imp, Horde redirects me to horde/login.php and
>> shows the standard login page, but it also throws up the following well
>> known error in the logs:
>>
>> Jul 28 20:46:44 test1 HORDE: User is not authorized for imp [pid 21092 on
>> line 267 of "/usr/local/share/pear/Horde/Registry.php"]
>
> And this is correct.  DON'T do this.  There is a single login page  
> for Horde.  An access to any other page is an indication that a user  
> is trying to access Horde services - so without proper  
> authentication credentials set, this is obviously a potential  
> security issue and needs to be logged (since there is no way to  
> differentiate between a user "accidentally" visiting an permission  
> protected page vs. an attacker scanning for vulnerabilities).
>
> michael

But it should be configurable at which level to log, no? It has a  
potential for DoS because many clients use strange URLs at a high rate  
in case of errors and logging this with a rate of some hundreds per  
second isn't fun at all, especially if it is at EMERGANCY or the like.
We can not prevent stupid clients from accessing invalid URLs, but we  
should be able to prevent that this will get a problem.

Regards

Andreas




More information about the horde mailing list