On Wed, 17 Jun 2009 15:16:37 -0700 (PDT), SquirrelMail Email List
<sm@xxxxxxxx> wrote:
>
>
>On Thu, 11 Jun 2009, Jonathan Angliss wrote:
>
>> On Mon, 08 Jun 2009 11:30:12 +0200, Rafael Martinez
>> <r.m.guerrero@xxxxxxxxxxx> wrote:
>>
>>> dwnek@xxxxxxxxxxxxxx wrote:
>>> [....]
>>>>
>>>> When I simply reconfigure httpd.conf to point to webmail-1.4.17 vice
>>>> webmail-1.4.19 and restart the httpd service all of the above problems go
>>>> away.
>>>>
>>>> I have not seen a response back to Rafael's email above yet and was
>>>> wondering what the status of this is and if there is something that can be
>>>> done to correct this. I am anxious to go back to 1.4.19 because of all of
>>>> the security fixes contained in 1.4.18 including the very important fix
>>>> regarding remote execution of server side code.
>>>>
>>>
>>> Hello
>>>
>>> We have found a way to avoid these problems.
>>>
>>> We have deleted this code in src/redirect.php:
>>>
>>> --------------------------------------------------------------------
>>> if (function_exists('session_regenerate_id')) {
>>>
>>> session_regenerate_id();
>>>
>>> // re-send session cookie so we get the right parameters on it
>>> // (such as HTTPOnly, if necessary - PHP doesn't do this itself
>>>
>>> sqsetcookie(session_name(),session_id(),false,$base_uri);
>>> }
>>> -------------------------------------------------------------------
>>>
>>> and this code in function/global.php:
>>>
>>> --------------------------------------------------------------------
>>>
>>> sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri . 'src');
>>> sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri .
>>> 'src/');
>>>
>>> --------------------------------------------------------------------
>>
>>>
>>> Maybe some of the developers can explain the implications of these changes.
>>
>> It was in response to a security report. We try to overwrite the
>> cookies that may already be set in the src/ directory to stop a hacker
>> from attempting to steal information.
>>
>>> With these changes, users logged in squirrelmail under the upgrade will
>>> get the "you must be logged in" error, but everything will work without
>>> problems when they logg in again after this.
>>
>> I've not seen the issue myself, but then cannot say I run on a large
>> variety of systems, so you may be coming across a combination we don't
>> know about.
>>
>> What are you settings for session.auto_start in your php.ini?
>>
>> It's probably possibly that we should be pushing the call to the
>> regenerate_id into src/login.php instead of src/redirect.php.
>>
>>> It have been a nightmare since 1.4.19 was released knowing the version
>>> we had in production had serious security problems and not been able to
>>> upgrade.
>>
>>> We are very disappointed with the null respond from developers we have
>>> had on this issue.
>>
>> I did notice that your report says you're using PHP 5.2.8, Chris
>> Hoogendyk reported a similar issue with 1.4.18, and had several
>> platforms upgraded. Those running PHP 4.x worked, whilst the one
>> running 5.2 failed. I'm running 5.2.0 without issues, so I'm
>> wondering if there might be additional changes that might cause some
>> problems, or a link between browsers too.
>>
>> --
>> Jonathan Angliss
>> <jon@xxxxxxxxxxxxxxxx>
>>
>
>So is this the final word on this problem? We are having the same problem
>with our setup.
I had not heard anything back from the original poster of the issue,
so I'm not sure what I can say. As you're able to reproduce the same
issue, can you provide us with some more details? Platform? Web
server? PHP version? Plugin details?
--
Jonathan Angliss
<jon@xxxxxxxxxxxxxxxx>
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
