[horde] Clarification of "User is not authorized for imp"

lst_hoe02 at kwsoft.de lst_hoe02 at kwsoft.de
Tue Jul 30 15:39:36 UTC 2013 

Zitat von Michael M Slusarz <slusarz at horde.org>:

> Quoting lst_hoe02 at kwsoft.de:
>
>> Zitat von Michael M Slusarz <slusarz at horde.org>:
>>
>>> Quoting Kareem Dana <kareem.dana at gmail.com>:
>>>
>>>> I just installed a fresh horde 5.1.2 and imp 6.1.3. Imp is configured to
>>>> handle authentication and imp connects to dovecot. If I directly go to the
>>>> url http://192.168.1.5/horde/imp, Horde redirects me to  
>>>> horde/login.php and
>>>> shows the standard login page, but it also throws up the following well
>>>> known error in the logs:
>>>>
>>>> Jul 28 20:46:44 test1 HORDE: User is not authorized for imp [pid 21092 on
>>>> line 267 of "/usr/local/share/pear/Horde/Registry.php"]
>>>
>>> And this is correct.  DON'T do this.  There is a single login page  
>>> for Horde.  An access to any other page is an indication that a  
>>> user is trying to access Horde services - so without proper  
>>> authentication credentials set, this is obviously a potential  
>>> security issue and needs to be logged (since there is no way to  
>>> differentiate between a user "accidentally" visiting an permission  
>>> protected page vs. an attacker scanning for vulnerabilities).
>>>
>>> michael
>>
>> But it should be configurable at which level to log, no? It has a  
>> potential for DoS because many clients use strange URLs at a high  
>> rate in case of errors and logging this with a rate of some  
>> hundreds per second isn't fun at all, especially if it is at  
>> EMERGANCY or the like.
>> We can not prevent stupid clients from accessing invalid URLs, but  
>> we should be able to prevent that this will get a problem.
>
> So what you are saying is that you should silence the error so that  
> you will NEVER be able to have a log of potential attacks?
>
> That sounds like a terrible way to ship a client by default.  Not to  
> mention that anybody can go into the source and change the log level  
> to what they want.
>
> michael

I'm not sure if it is useful to see all misguided URLs hitting the  
server as attack, especially taken the fact that this happens with  
many clients even with correct configuration for  
iCal/CalDAV/ActiveSync and the like all the time. There is also a  
constant stream of http scanning for known vulnerable scripts and the  
like and for sure i don't need a notice at Emergency level either.  
Changing the source isn't useful because the next update will revert  
this for sure. So the correct way should be some setting to turn it of  
or lower priority if desired, no?

Regards

Andreas

More information about the horde mailing list