[imp] Security - user A got into userB's email

Kim Hoffman khoffman at uwo.ca
Thu Oct 23 12:30:21 PDT 2003


We have two groups of users:

1.  Users who use their own systems
2.  Users who share systems (eg. student lab)

Cookies are OK for those who own their own systems.  However, we think cookies 
would be unsecure for users who 'share' systems.

What did you set your 'session.entropy_length = xx' ?  
Would this make any difference?  
By setting 'session.entropy_length = xx' to a very high number, would this 
impact performance?

=========
Quoting Lachlan Cameron-Smith <lachlan.cameronsmith at adelaide.edu.au>:

> Michael M Slusarz wrote:
> 
> > Quoting Kim Hoffman <khoffman at uwo.ca>:
> > 
> > | We have 3 systems servicing web mail.  A front end load balancer is used
> > | to
> > | load balance the traffic to these 3 systems.  The load balancer is state
> > | aware.
> > | So when a user logins to server A, he stays on server A for all his
> > | sessions.
> > | The sessions are files kept locally on each of the 3 servers.
> > |
> > | We had user A who bookmarked
> > |
> > |   https://xxx.xxx.xxx/horde/imp/mailbox.php?
> > | Horde=fe4c04a1d4e6135cc41e7bdbb6603111&mailbox=INBOX
> > |
> > | and got into user B's mailbox.  The user told me that she got into the
> > | same user's (user B's) mailbox about 3 times over a number of days.
> > 
> > Upgrade to Horde 2.2.4/IMP 3.2.2:
> >
> http://cvs.horde.org/diff.php/horde/docs/CHANGES?
r1=1.207.2.79&r2=1.207.2.80&ty=h
> 
> We've upgraded to Horde 2.2.4 and IMP 3.2.2 and it doesn't prevent this 
> from happening. The fix we have found is to set session.use_only_cookies 
> = 1 in php.ini, the session ID passed in the URL will then be ignored 
> and a new session ID will be generated and stored in a cookie. (We're 
> still testing as to which browsers work OK with this - Konqueror doesn't 
> seem to like it).
> 
> Regards,
> 
> Lachlan Cameron-Smith
> Senior Systems Specialist, ITS, Adelaide University
> 
> CRICOS Provider Number 00123M
> -----------------------------------------------------------
> This email message is intended only for the addressee(s)
> and contains information that may be confidential and/or
> copyright.  If you are not the intended recipient please
> notify the sender by reply email and immediately delete
> this email. Use, disclosure or reproduction of this email
> by anyone other than the intended recipient(s) is strictly
> prohibited. No representation is made that this email or
> any attachments are free of viruses. Virus scanning is
> recommended and is the responsibility of the recipient.
> 
> 
> -- 
> IMP mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe at lists.horde.org
> 


-- 
Kim Tan Hoffman
Information Technology Services
University of Western Ontario
London Ontario
Phone:  519 6612111-x86008




More information about the imp mailing list