Re: [SM-USERS] session hijacking bug

Fri, 03 Feb 2006 01:45:19 -0800 

* Rafael Martinez Guerrero <[EMAIL PROTECTED]>:

> This is the same problem we had some months ago. We reported this to the
> list in august 2005 and it take us very heavy debugging to find out the
> cause of this. More information here:
> http://sourceforge.net/mailarchive/message.php?msg_id=12715881
> 
> This was an important security issue for us where privacy got
> compromised, as you say, e-mails get another sender, but sometimes users
> also get to see other users folders/e-mails.
> 
> Everytime you use squirrelmail, a random 32 character identification
> code (SID) is generated in the server, saved as a cookie in the 
> computer/browser of the user and used to identify the user in the
> system. This SID is unique and it guarantees that only one user has
> access to his/her e-mail account.
> 
> We discovered that some browsers change the value of the SID from a
> random 32 character code to 'deleted'. The value 'deleted' is not random
> and if two or more users with this problem are using squierrelmail at
> the same time, then privacy can be compromised. It is because this that
> we do not allow computers/browsers with this problem to use webmail in
> our system. 
> 
> We save sessions data in a postgresql database and have our own
> sessions-handler. We patched our code so it refuses to use a SID with a
> value like 'deleted' or not a 32 long char string and the problem is
> gone.
> 
> We log all users with this problem and they get information about it.
> 
> Since october 2005, 320 out of 37.100 that have used our webmail
> installation had this problem at least one time, this is around 0.86% of
> all users that used our system. Not much, but for us, one is more than
> enough when privacy gets compromised.

It seems we're seeing the same. Would you care to share your patch
that disallows the "(deleted)" SID?

-- 
Ralf Hildebrandt (i.A. des IT-Zentrums)         [EMAIL PROTECTED]
Charite - Universitätsmedizin Berlin            Tel.  +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-Berlin    Fax.  +49 (0)30-450 570-962
IT-Zentrum Standort CBF                 send no mail to [EMAIL PROTECTED]


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642
--
squirrelmail-users mailing list
Posting Guidelines: 
http://www.squirrelmail.org/wiki/MailingListPostingGuidelines
List Address: squirrelmail-users@lists.sourceforge.net
List Archives: 
http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id)95
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

Reply via email to