[imp] Security - user A got into userB's email

Kim Hoffman khoffman at uwo.ca
Wed Oct 22 09:36:53 PDT 2003 

We have 3 systems servicing web mail.  A front end load balancer is used to 
load balance the traffic to these 3 systems.  The load balancer is state aware. 
So when a user logins to server A, he stays on server A for all his sessions.  
The sessions are files kept locally on each of the 3 servers.  

We had user A who bookmarked

  https://xxx.xxx.xxx/horde/imp/mailbox.php?
Horde=fe4c04a1d4e6135cc41e7bdbb6603111&mailbox=INBOX

and got into user B's mailbox.  The user told me that she got into the same 
user's (user B's) mailbox about 3 times over a number of days.  I tried to 
duplicate the situation.  I was able to get into another account provided that I
1.  login to the same physical server (one out of 3)
2.  I was login same time as the other user or the user did not logout but just 
closed his browser and the session was not timed out (we set ours to 2 hours of 
inactivity)

We believe that the line 'session.entropy_length = 256' controls 
the 'complexity' or 'uniqueness' of the name of the session file (for example, 
sess_fe4c04a1d4e6135cc41e7bdbb6603111).  What is the 'recommended' number for 
session.entropy_length? 

Or is 'security' controlled differently?  Is there any recommended guidelines 
in setting up Horde/IMP/Turba for securing mailboxes? 

The following RPMS are insatlled:
        horde-2.2.3-1
        httpd-2.0.40-21.3
        imap-2001a-18
        imp-3.2.1-1
        mod_ssl-2.0.40-21
        mysql-3.23.56-1.9
        mysql-server-3.23.56-1.9
        openssl-0.9.7a-5
        openssl096-0.9.6-17
        openssl096b-0.9.6b-6
        pear-1.1.tar.gz
        php-4.2.2-17
        php-imap-4.2.2-17
        php-ldap-4.2.2-17
        php-mysql-4.2.2-17
        turba-1.2-1
               

Part of php.ini pertaining to session:
[Session]
session.save_handler = files
session.save_path = /var/log/httpd/session
session.use_cookies = 0 
session.name = PHPSESSID          
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.serialize_handler = php
session.gc_probability = 100
session.gc_maxlifetime = 7200
session.referer_check =
session.entropy_length = 256
session.entropy_file = /dev/urandom 
session.cache_limiter = nocache
session.cache_expire = 120
session.use_trans_sid = 1
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"



-- 
Kim Tan Hoffman
Information Technology Services
University of Western Ontario
London Ontario
Phone:  519 6612111-x86008

More information about the imp mailing list