[imp] Session Collisions

Symen Mulders symen.mulders at plattsburgh.edu
Thu Mar 6 10:40:33 PST 2003


We ran into an interesting condition in Horde/IMP's session handling
recently (running Horde 2.1 and IMP 3.1).  A technician created a new
workstation image with a shortcut to our Webmail server on the desktop. 
The shortcut was created by loading the page in a browser, then
right-clicking the page and selecting "Create shortcut on desktop" or
whatever the option is.  Therefore what was linked, due to the session
key creation code called by /horde/imp/index.php, was like
http://server/horde/imp/login.php?Horde=biglongmd5string.  The image was
then pushed to a few machines.  The condition came up when the shortcut
was used by more than one user concurrently, of course using the same
session key.  Nasty things happened, like users seeing eachother's
inboxes, etc.  I did a quick fix on my end by adjusting
/horde/imp/index.php to not ask for a session key and just redirect to
/horde/imp/login.php, letting /horde/imp/redirect.php create the key
instead, which isn't a perfect fix, but I didn't really have time for
much more.

It seems to me that allowing the user to specify their own session key
is probably a bad idea.  The keys are complex random numbers, so the
chance of a user guessing another user's key is almost nonexistent, but
it is easy enough for other bad things to happen by accident, as we
discovered.

My question is, how important is it that this be changed, or has it been
changed in Horde 2.2.1/IMP 3.2?

-- 
=================================
 Symen Mulders
 Programmer/Analyst
 Plattsburgh State University
 101 Broad Street
 Plattsburgh, NY 12901
 muldersb AT plattsburgh DOT edu
=================================



More information about the imp mailing list