Re: 1.4.18 bug with src/redirect.php on php4.3.3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, May 14, 2009 at 5:44 AM, Andreas Vogt <a_vogt@xxxxxxx> wrote:
>
> (SM 1.4.18, PHP 4.3.3)
>
> Hi,
>
> after updating to 1.4.18
> all users are immediatley logged out afters login.
> SM just asks the IMAP server for INBOX, then the SM logs out.
>
> I could break this issue down to
> line 82 in src/redirect.php
>  session_regenerate_id();
>
> As stated in new redirect.php:
> * NB: session_regenerate_id() was added in PHP 4.3.2 (and new session
>
> *     cookie is only sent out in this call as of PHP 4.3.3), but PHP 4
>
> *     is not vulnerable to session fixation problems in SquirrelMail
>
> Obviuosly, PHP 4.3.3. got some problems with
>   session_regenerate_id();

Ugh, yes indeed it looks like it.  Can you take snapshots of the
SquirrelMail cookies in your browser for each step? --

  - after login page loads
  - just before the regenerate() call (put an exit; call before it)
  - just after the regenerate() call (put an exit; call after it)
  - after the session_write_close() call but before the
header('Location') redirect
    (put an exit; call between the two) - should be around line 181

It might also be helpful to see the contents of $_COOKIE under each of
those steps.

> I tried to disable line 82. After this, everything works great, but I
> don't know, what security problems I will get now (beside of having PHP
> 4.3.3 ;) )

Probably none - it seems to be mostly a PHP 5 issue.

> best regards and thank you for your great job!

Thanks

-- 
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
[Index of Archives]     [Video For Linux]     [Yosemite News]     [Yosemite Photos]     [gtk]     [KDE]     [Cyrus SASL]     [Gimp on Windows]     [Steve's Art]     [Webcams]

  Powered by Linux