[horde] Clarification of "User is not authorized for imp"

Kareem Dana kareem.dana at gmail.com
Tue Jul 30 14:47:20 UTC 2013 

It is at the emergency level here and on my FreeBSD machine that also logs
to the system console which is quite annoying but I can change that with
syslog.

I believe, at least on my site, this will generate a lot of false positives
and it gives me no information that httpd-access.log doesn't give me
already since the log is generated right when a user connects to
"/horde/imp" before attempting to even login.

We will see though - I don't think a DoS would be a big problem. Worst case
is that that that specific log message fills the horde logs and syslog
rotates them more often. My concern is that if the goal of this log message
is to alert the administrator of a potential attack but it also logs so
many false positives it just may not be that useful of a log message as it
stands now. I will deploy this new version soon and see how it looks though.

Thanks,
Kareem


On Tue, Jul 30, 2013 at 2:36 AM, <lst_hoe02 at kwsoft.de> wrote:

>
> Zitat von Michael M Slusarz <slusarz at horde.org>:
>
>
>  Quoting Kareem Dana <kareem.dana at gmail.com>:
>>
>>  I just installed a fresh horde 5.1.2 and imp 6.1.3. Imp is configured to
>>> handle authentication and imp connects to dovecot. If I directly go to
>>> the
>>> url http://192.168.1.5/horde/imp, Horde redirects me to horde/login.php
>>> and
>>> shows the standard login page, but it also throws up the following well
>>> known error in the logs:
>>>
>>> Jul 28 20:46:44 test1 HORDE: User is not authorized for imp [pid 21092 on
>>> line 267 of "/usr/local/share/pear/Horde/**Registry.php"]
>>>
>>
>> And this is correct.  DON'T do this.  There is a single login page for
>> Horde.  An access to any other page is an indication that a user is trying
>> to access Horde services - so without proper authentication credentials
>> set, this is obviously a potential security issue and needs to be logged
>> (since there is no way to differentiate between a user "accidentally"
>> visiting an permission protected page vs. an attacker scanning for
>> vulnerabilities).
>>
>> michael
>>
>
> But it should be configurable at which level to log, no? It has a
> potential for DoS because many clients use strange URLs at a high rate in
> case of errors and logging this with a rate of some hundreds per second
> isn't fun at all, especially if it is at EMERGANCY or the like.
> We can not prevent stupid clients from accessing invalid URLs, but we
> should be able to prevent that this will get a problem.
>
> Regards
>
> Andreas
>
>
>
> --
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.**org<horde-unsubscribe at lists.horde.org>
>

More information about the horde mailing list