[imp] Users still getting into other users' mailboxes at login
James Moore
jmoore at thebank.com
Tue Jul 15 07:32:35 PDT 2003
On Mon, 2003-07-14 at 16:20, Michael M Slusarz wrote:
> Quoting James Moore <jmoore at thebank.com>:
>
> | We were having problems with users getting into other people's
> | mailboxes at login, as has been reported elsewhere. We made all the
> | following changes to our PHP setup, as was recommended in the
> | discussions:
> |
> | php.ini:
> | session.use_cookies 1
> | session.use_trans_sid 0
> | session.entropy_file /dev/urandom
> | session.entropy_length 64
> |
> | Other session-related settings are as follows:
> | /etc/php.ini:
> | session.gc_maxlifetime = 1440
> | session.gc_probability = 1
> | session.save_handler = file
> | session.save_path = /var/www/tmp
> |
> | horde.php:
> | $conf['session_name'] = 'Horde';
> | $conf['cache_limiter'] = 'nocache';
> | $conf['session_timeout'] = 0;
> |
> | We are running the following packages and versions:
> | Production Test
> | Horde 2.2.1 2.2.3
> | IMP 3.1 3.2.1
> | Turba 1.1 1.2
> |
> | Our webserver uses Redhat 7.3, Apache 1.3.27, PHP v. 4.1.2
> |
> | We already know that sessions are being created and garbage-collected
> | as one would expect from these configuration settings. After making the
> | changes, we went for about 3 months while without further reports of
> | people getting into others' mailboxes at login.
> | Recently, however, we were informed by a user that she has been getting
> | into one other user's mailbox occasionally over the last month. She
> | manages to do this using AOL's browser. Every time it happens, she gets
> | into the mailbox without having to attempt a login, and always into the
> | mailbox of the same user. Have not been able to find out from the
> | "victim" user how she is invoking the IMP site, or whether she disabled
> | cookies in her browser.
>
> Make sure they are not using a bookmark that contains a session identifier
> in it (e.g. http://www.example.com/horde/foo.php?Horde=0123456789)
I was able to get in touch with the "victim" user this morning, and
indeed she was using a bookmark with a session id embedded in it.
>
> | In a potentially related issue, we are not able to stop session ids
> | from being passed in the URI, regardless of how browsers are configured
> | (Mozilla 1.2.1, IE 6.0, Netscape 4.7x, 7.x). This goes for both the
> | production and test sites, the only difference being that on the
> | production site, the session ID appears in the URI prior to a successful
> | login, and on the test site it appears only after a successful login.
>
> This should already be fixed in IMP/HORDE RELENG - we now recreate the
> session identifier once you login so the session identifier that appears in
> the URL in the login is irrelevant - it can't be used to hijack the
> session.
>
I checked out RELENG and tested. Looks good!
> | I have followed all the threads addressing these issues, and at
> | every point they come to an end without a satisfactory resolution. I have
> | a simple question: Has anyone found a verified fix, and if not, when is
> | someone going to put some time into finding one?
>
> Try HEAD. These problems have not been reported there (at least so far).
Can't do that with production site, and that's where I'm most concerned!
:( Is it worth trying to replace only a few files on the production
site with revised versions from HEAD (e.g. login.php)?
>
> As far as someone putting time into finding a solution... remember that this
> is an open source project so 1) no guarantees, and 2) everyone that uses
> the software is potentially the person who "puts the time into finding the
> fix" :)
I know I came on too strong! Had no one else come up with a solution,
eventually I would have dug in myself and tried to come up with
something, but given how poorly I code in PHP, it's better if I don't.
> michael
>
> ______________________________________________
> Michael Slusarz [slusarz at bigworm.colorado.edu]
> The University of Colorado at Boulder
--
James J. Moore, Network Administrator
Citizens National Bank
245 Pittsburgh Road
Butler, PA 16001
Phone: 724-214-6205 Fax: 724-283-9235
More information about the imp
mailing list