On Mon, 08 Jun 2009 11:30:12 +0200, Rafael Martinez
<r.m.guerrero@xxxxxxxxxxx> wrote:
>dwnek@xxxxxxxxxxxxxx wrote:
>[....]
>>
>> When I simply reconfigure httpd.conf to point to webmail-1.4.17 vice
>> webmail-1.4.19 and restart the httpd service all of the above problems go
>> away.
>>
>> I have not seen a response back to Rafael's email above yet and was
>> wondering what the status of this is and if there is something that can be
>> done to correct this. I am anxious to go back to 1.4.19 because of all of
>> the security fixes contained in 1.4.18 including the very important fix
>> regarding remote execution of server side code.
>>
>
>Hello
>
>We have found a way to avoid these problems.
>
>We have deleted this code in src/redirect.php:
>
>--------------------------------------------------------------------
>if (function_exists('session_regenerate_id')) {
>
> session_regenerate_id();
>
> // re-send session cookie so we get the right parameters on it
> // (such as HTTPOnly, if necessary - PHP doesn't do this itself
>
> sqsetcookie(session_name(),session_id(),false,$base_uri);
>}
>-------------------------------------------------------------------
>
>and this code in function/global.php:
>
>--------------------------------------------------------------------
>
>sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri . 'src');
>sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri .
>'src/');
>
>--------------------------------------------------------------------
>
>Maybe some of the developers can explain the implications of these changes.
It was in response to a security report. We try to overwrite the
cookies that may already be set in the src/ directory to stop a hacker
from attempting to steal information.
>With these changes, users logged in squirrelmail under the upgrade will
>get the "you must be logged in" error, but everything will work without
>problems when they logg in again after this.
I've not seen the issue myself, but then cannot say I run on a large
variety of systems, so you may be coming across a combination we don't
know about.
What are you settings for session.auto_start in your php.ini?
It's probably possibly that we should be pushing the call to the
regenerate_id into src/login.php instead of src/redirect.php.
>It have been a nightmare since 1.4.19 was released knowing the version
>we had in production had serious security problems and not been able to
>upgrade.
>We are very disappointed with the null respond from developers we have
>had on this issue.
I did notice that your report says you're using PHP 5.2.8, Chris
Hoogendyk reported a similar issue with 1.4.18, and had several
platforms upgraded. Those running PHP 4.x worked, whilst the one
running 5.2 failed. I'm running 5.2.0 without issues, so I'm
wondering if there might be additional changes that might cause some
problems, or a link between browsers too.
--
Jonathan Angliss
<jon@xxxxxxxxxxxxxxxx>
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
