[imp] Access to other users mailboxes
Charlie Reitsma
reitsmac at denison.edu
Tue Apr 1 21:42:33 PST 2003
That "session.use_only_cookies" option in php.ini sounds promising for
defeating bookmarks with embedded session IDs.
Quoting Eric Rostetter <eric.rostetter at physics.utexas.edu>:
> Quoting Myke Place <mp at xmission.com>:
>
> > We've got a serious problem that I could really use some help with.
> > Apparently, some users are logging into our IMP installation and getting
> > the mailboxes of other users.
> >
> > I see in the logs that IMP is contacting the IMAP server and logging in,
> > but on the Inbox screen, another users mail is displayed. We are using
> > phpa with the follwing versions:
>
> Either your sessions are getting reused, or your phpa is caching things
> wrong. See http://cvs.horde.org/co.php/horde/docs/SECURITY for some
> light reading, paying attention to the stuff about sessions and entropy
> and the like.
>
> --
> Eric Rostetter
> The Department of Physics
> The University of Texas at Austin
>
> Why get even? Get odd!
>
> --
> IMP mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe at lists.horde.org
>
Charlie Reitsma
Systems Engineer
More information about the imp
mailing list