On Thu, 18 Jun 2009, Jonathan Angliss wrote: > On Wed, 17 Jun 2009 15:16:37 -0700 (PDT), SquirrelMail Email List > <sm@xxxxxxxx> wrote: > >> >> >> On Thu, 11 Jun 2009, Jonathan Angliss wrote: >> >>> On Mon, 08 Jun 2009 11:30:12 +0200, Rafael Martinez >>> <r.m.guerrero@xxxxxxxxxxx> wrote: >>> >>>> dwnek@xxxxxxxxxxxxxx wrote: >>>> [....] >>>>> >>>>> When I simply reconfigure httpd.conf to point to webmail-1.4.17 vice >>>>> webmail-1.4.19 and restart the httpd service all of the above problems go >>>>> away. >>>>> >>>>> I have not seen a response back to Rafael's email above yet and was >>>>> wondering what the status of this is and if there is something that can be >>>>> done to correct this. I am anxious to go back to 1.4.19 because of all of >>>>> the security fixes contained in 1.4.18 including the very important fix >>>>> regarding remote execution of server side code. >>>>> >>>> >>>> Hello >>>> >>>> We have found a way to avoid these problems. >>>> >>>> We have deleted this code in src/redirect.php: >>>> >>>> -------------------------------------------------------------------- >>>> if (function_exists('session_regenerate_id')) { >>>> >>>> session_regenerate_id(); >>>> >>>> // re-send session cookie so we get the right parameters on it >>>> // (such as HTTPOnly, if necessary - PHP doesn't do this itself >>>> >>>> sqsetcookie(session_name(),session_id(),false,$base_uri); >>>> } >>>> ------------------------------------------------------------------- >>>> >>>> and this code in function/global.php: >>>> >>>> -------------------------------------------------------------------- >>>> >>>> sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri . 'src'); >>>> sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri . >>>> 'src/'); >>>> >>>> -------------------------------------------------------------------- >>> >>>> >>>> Maybe some of the developers can explain the implications of these changes. >>> >>> It was in response to a security report. We try to overwrite the >>> cookies that may already be set in the src/ directory to stop a hacker >>> from attempting to steal information. >>> >>>> With these changes, users logged in squirrelmail under the upgrade will >>>> get the "you must be logged in" error, but everything will work without >>>> problems when they logg in again after this. >>> >>> I've not seen the issue myself, but then cannot say I run on a large >>> variety of systems, so you may be coming across a combination we don't >>> know about. >>> >>> What are you settings for session.auto_start in your php.ini? >>> >>> It's probably possibly that we should be pushing the call to the >>> regenerate_id into src/login.php instead of src/redirect.php. >>> >>>> It have been a nightmare since 1.4.19 was released knowing the version >>>> we had in production had serious security problems and not been able to >>>> upgrade. >>> >>>> We are very disappointed with the null respond from developers we have >>>> had on this issue. >>> >>> I did notice that your report says you're using PHP 5.2.8, Chris >>> Hoogendyk reported a similar issue with 1.4.18, and had several >>> platforms upgraded. Those running PHP 4.x worked, whilst the one >>> running 5.2 failed. I'm running 5.2.0 without issues, so I'm >>> wondering if there might be additional changes that might cause some >>> problems, or a link between browsers too. >>> >>> -- >>> Jonathan Angliss >>> <jon@xxxxxxxxxxxxxxxx> >>> >> >> So is this the final word on this problem? We are having the same problem >> with our setup. > > I had not heard anything back from the original poster of the issue, > so I'm not sure what I can say. As you're able to reproduce the same > issue, can you provide us with some more details? Platform? Web > server? PHP version? Plugin details? > > -- > Jonathan Angliss > <jon@xxxxxxxxxxxxxxxx> > Sure. We're running a Debian Etch system here. Apache2 version 2.2.3-4+etch8 Apache/2.2.3 (Debian) mod_auth_kerb/5.3 mod_fastcgi/2.4.2 PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8 configured -- resuming normal operations mysql-server-5.0 version 5.0.32-7etch10 postfix version 2.3.8-2+etch1 courier-authlib-mysql version 0.58-4+etch3 This system runs 2 gigs of memory. Plugins: 1. vlogin 2. delete_move_next 3. calendar 4. message_details 5. newmail 6. sent_subfolders 7. translate 8. listcommands 9. compatibility 10. abook_import_export 11. view_as_html 12. timeout_user 13. quicksave 14. mail_fetch 15. twc_weather 16. unsafe_image_rules 17. preview_pane 18. cookie_warning 19. askuserinfo 20. folder_synch 21. squirrel_logger 22. vkeyboard 23. change_sqlpass 24. calendar_sql_backend 25. sasql 26. abook_group_pagination 27. add_address 28. select_range 29. compose_extras 30. filters 31. squirrelspell 32. dictionary 33. get_uuencode 34. custom_charset ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users