[sork] Passwd backends

Eric Rostetter eric.rostetter at physics.utexas.edu
Mon Jan 31 13:16:58 PST 2005


Quoting - Fredde - <nagash303 at hotmail.com>:

> > > However, even if stupid A left his computer hacker B need the
> >oldpassword
> > > to be able to change the password, ok? Cant see any security issue, ok?
> >
> >Okay.  If it works for you, great!  More power to you.
> 
> Hmmm do you mean diffrent mailservers/auth treat username/username at domain
> diffrent in horde-passwd in security point of veiw? (bareAUTH/ AUTH)

Nope.  I mean, some people allow password changing without checking the
current password.  Not a very secure way to do it, but very popular.

> > > This way the username is looked, readonly does the job
> > > (yes you can still see the username,but cant edit/change it).
> >
> >Not in the form as served. But you could spoof the form and change it.  But
> >probably you are not worried about that.
> 
> To be 100% sure I should not use horde-passwd at all, right?

Well, yes, but that is not too practical.

If you make your form read-only, then I can download the form, change it
to be non-read-only, and submit it back with the username changed.

If you make the option to change the username a configuration value,
then *hopefully* the code will enforce that by always using a Horde
provided username and not a form-submitted (user provided data) username,
so there is no way to circumvent the restriction.

Now, I'm not sure we do enforce this in the code, but we should, IMHO.
Been too long since I looked at the (CVS HEAD) code for how this is done.
(Though I hope to look at it today)

> >It does if you code the hook to do so.
> 
> Yes, I have to hope some kind user does one and post it here.

You need to define your setup and ask for such help.  We can't help if
you don't ask for help, and provide the details needed to help.

> Yes I did what I could, to make horde better, with more support. Ok, thanks
> for taking time to answer my posts.

And we appreciate that, we really do!
 
> Greets,
> 
> Fredde

-- 
Eric Rostetter
The Department of Physics
The University of Texas at Austin
 
Why get even? Get odd!


More information about the sork mailing list