[imp] Security - user A got into userB's email

[Lachlan Cameron-Smith]

Michael M Slusarz wrote:

> Quoting Kim Hoffman <khoffman at uwo.ca>:
> 
> | We have 3 systems servicing web mail.  A front end load balancer is used
> | to
> | load balance the traffic to these 3 systems.  The load balancer is state
> | aware.
> | So when a user logins to server A, he stays on server A for all his
> | sessions.
> | The sessions are files kept locally on each of the 3 servers.
> |
> | We had user A who bookmarked
> |
> |   https://xxx.xxx.xxx/horde/imp/mailbox.php?
> | Horde=fe4c04a1d4e6135cc41e7bdbb6603111&mailbox=INBOX
> |
> | and got into user B's mailbox.  The user told me that she got into the
> | same user's (user B's) mailbox about 3 times over a number of days.
> 
> Upgrade to Horde 2.2.4/IMP 3.2.2:
> http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.207.2.79&r2=1.207.2.80&ty=h

We've upgraded to Horde 2.2.4 and IMP 3.2.2 and it doesn't prevent this 
from happening. The fix we have found is to set session.use_only_cookies 
= 1 in php.ini, the session ID passed in the URL will then be ignored 
and a new session ID will be generated and stored in a cookie. (We're 
still testing as to which browsers work OK with this - Konqueror doesn't 
seem to like it).

Regards,

Lachlan Cameron-Smith
Senior Systems Specialist, ITS, Adelaide University

CRICOS Provider Number 00123M
-----------------------------------------------------------
This email message is intended only for the addressee(s)
and contains information that may be confidential and/or
copyright.  If you are not the intended recipient please
notify the sender by reply email and immediately delete
this email. Use, disclosure or reproduction of this email
by anyone other than the intended recipient(s) is strictly
prohibited. No representation is made that this email or
any attachments are free of viruses. Virus scanning is
recommended and is the responsibility of the recipient.