[horde] Clarification of "User is not authorized for imp"

[Michael M Slusarz]

Quoting lst_hoe02 at kwsoft.de:

> Zitat von Michael M Slusarz <slusarz at horde.org>:
>
>> Quoting Kareem Dana <kareem.dana at gmail.com>:
>>
>>> I just installed a fresh horde 5.1.2 and imp 6.1.3. Imp is configured to
>>> handle authentication and imp connects to dovecot. If I directly go to the
>>> url http://192.168.1.5/horde/imp, Horde redirects me to horde/login.php and
>>> shows the standard login page, but it also throws up the following well
>>> known error in the logs:
>>>
>>> Jul 28 20:46:44 test1 HORDE: User is not authorized for imp [pid 21092 on
>>> line 267 of "/usr/local/share/pear/Horde/Registry.php"]
>>
>> And this is correct.  DON'T do this.  There is a single login page  
>> for Horde.  An access to any other page is an indication that a  
>> user is trying to access Horde services - so without proper  
>> authentication credentials set, this is obviously a potential  
>> security issue and needs to be logged (since there is no way to  
>> differentiate between a user "accidentally" visiting an permission  
>> protected page vs. an attacker scanning for vulnerabilities).
>>
>> michael
>
> But it should be configurable at which level to log, no? It has a  
> potential for DoS because many clients use strange URLs at a high  
> rate in case of errors and logging this with a rate of some hundreds  
> per second isn't fun at all, especially if it is at EMERGANCY or the  
> like.
> We can not prevent stupid clients from accessing invalid URLs, but  
> we should be able to prevent that this will get a problem.

So what you are saying is that you should silence the error so that  
you will NEVER be able to have a log of potential attacks?

That sounds like a terrible way to ship a client by default.  Not to  
mention that anybody can go into the source and change the log level  
to what they want.

michael

___________________________________
Michael Slusarz [slusarz at horde.org]