dwnek@xxxxxxxxxxxxxx wrote:
[....]
>
> When I simply reconfigure httpd.conf to point to webmail-1.4.17 vice
> webmail-1.4.19 and restart the httpd service all of the above problems go
> away.
>
> I have not seen a response back to Rafael's email above yet and was
> wondering what the status of this is and if there is something that can be
> done to correct this. I am anxious to go back to 1.4.19 because of all of
> the security fixes contained in 1.4.18 including the very important fix
> regarding remote execution of server side code.
>
Hello
We have found a way to avoid these problems.
We have deleted this code in src/redirect.php:
--------------------------------------------------------------------
if (function_exists('session_regenerate_id')) {
session_regenerate_id();
// re-send session cookie so we get the right parameters on it
// (such as HTTPOnly, if necessary - PHP doesn't do this itself
sqsetcookie(session_name(),session_id(),false,$base_uri);
}
-------------------------------------------------------------------
and this code in function/global.php:
--------------------------------------------------------------------
sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri . 'src');
sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri .
'src/');
--------------------------------------------------------------------
Maybe some of the developers can explain the implications of these changes.
With these changes, users logged in squirrelmail under the upgrade will
get the "you must be logged in" error, but everything will work without
problems when they logg in again after this.
It have been a nightmare since 1.4.19 was released knowing the version
we had in production had serious security problems and not been able to
upgrade.
We are very disappointed with the null respond from developers we have
had on this issue.
regards
--
Rafael Martinez, <r.m.guerrero@xxxxxxxxxxx>
Center for Information Technology Services
University of Oslo, Norway
PGP Public Key: http://folk.uio.no/rafael/
------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises
looking to deploy the next generation of Solaris that includes the latest
innovations from Sun and the OpenSource community. Download a copy and
enjoy capabilities such as Networking, Storage and Virtualization.
Go to: http://p.sf.net/sfu/opensolaris-get
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
