On Fri, 2006-02-03 at 02:52, Iain Pople wrote: > Hi, > > I am experiencing a strange bug with squirrelmail. The symptoms are as > follows: > > Sometimes when a user sends an email the from address changes to another > user's email address who is logged in at the same time. > > e.g. user A has email address [EMAIL PROTECTED] > user B has email address [EMAIL PROTECTED] > > User A is composing an email. When he hits send, the from address gets > set to [EMAIL PROTECTED] > > Another symptom is that user B generates a failed IMAP login, suggesting > that user A is trying to login with user B's username. I am not > suggesting that this is a deliberate hijacking attempt by the user but > some bug in squirrelmail/php. Here is the IMAP error message: > [..............]
Hello This is the same problem we had some months ago. We reported this to the list in august 2005 and it take us very heavy debugging to find out the cause of this. More information here: http://sourceforge.net/mailarchive/message.php?msg_id=12715881 This was an important security issue for us where privacy got compromised, as you say, e-mails get another sender, but sometimes users also get to see other users folders/e-mails. Everytime you use squirrelmail, a random 32 character identification code (SID) is generated in the server, saved as a cookie in the computer/browser of the user and used to identify the user in the system. This SID is unique and it guarantees that only one user has access to his/her e-mail account. We discovered that some browsers change the value of the SID from a random 32 character code to 'deleted'. The value 'deleted' is not random and if two or more users with this problem are using squierrelmail at the same time, then privacy can be compromised. It is because this that we do not allow computers/browsers with this problem to use webmail in our system. We save sessions data in a postgresql database and have our own sessions-handler. We patched our code so it refuses to use a SID with a value like 'deleted' or not a 32 long char string and the problem is gone. We log all users with this problem and they get information about it. Since october 2005, 320 out of 37.100 that have used our webmail installation had this problem at least one time, this is around 0.86% of all users that used our system. Not much, but for us, one is more than enough when privacy gets compromised. -- Rafael Martinez, <[EMAIL PROTECTED]> Center for Information Technology Services University of Oslo, Norway PGP Public Key: http://folk.uio.no/rafael/ ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
