On Thu, 18 Jun 2009, Jonathan Angliss wrote:
> On Wed, 17 Jun 2009 15:16:37 -0700 (PDT), SquirrelMail Email List
> <sm@xxxxxxxx> wrote:
>
>>
>>
>> On Thu, 11 Jun 2009, Jonathan Angliss wrote:
>>
>>> On Mon, 08 Jun 2009 11:30:12 +0200, Rafael Martinez
>>> <r.m.guerrero@xxxxxxxxxxx> wrote:
>>>
>>>> dwnek@xxxxxxxxxxxxxx wrote:
>>>> [....]
>>>>>
>>>>> When I simply reconfigure httpd.conf to point to webmail-1.4.17 vice
>>>>> webmail-1.4.19 and restart the httpd service all of the above problems go
>>>>> away.
>>>>>
>>>>> I have not seen a response back to Rafael's email above yet and was
>>>>> wondering what the status of this is and if there is something that can be
>>>>> done to correct this. I am anxious to go back to 1.4.19 because of all of
>>>>> the security fixes contained in 1.4.18 including the very important fix
>>>>> regarding remote execution of server side code.
>>>>>
>>>>
>>>> Hello
>>>>
>>>> We have found a way to avoid these problems.
>>>>
>>>> We have deleted this code in src/redirect.php:
>>>>
>>>> --------------------------------------------------------------------
>>>> if (function_exists('session_regenerate_id')) {
>>>>
>>>> session_regenerate_id();
>>>>
>>>> // re-send session cookie so we get the right parameters on it
>>>> // (such as HTTPOnly, if necessary - PHP doesn't do this itself
>>>>
>>>> sqsetcookie(session_name(),session_id(),false,$base_uri);
>>>> }
>>>> -------------------------------------------------------------------
>>>>
>>>> and this code in function/global.php:
>>>>
>>>> --------------------------------------------------------------------
>>>>
>>>> sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri . 'src');
>>>> sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri .
>>>> 'src/');
>>>>
>>>> --------------------------------------------------------------------
>>>
>>>>
>>>> Maybe some of the developers can explain the implications of these changes.
>>>
>>> It was in response to a security report. We try to overwrite the
>>> cookies that may already be set in the src/ directory to stop a hacker
>>> from attempting to steal information.
>>>
>>>> With these changes, users logged in squirrelmail under the upgrade will
>>>> get the "you must be logged in" error, but everything will work without
>>>> problems when they logg in again after this.
>>>
>>> I've not seen the issue myself, but then cannot say I run on a large
>>> variety of systems, so you may be coming across a combination we don't
>>> know about.
>>>
>>> What are you settings for session.auto_start in your php.ini?
>>>
>>> It's probably possibly that we should be pushing the call to the
>>> regenerate_id into src/login.php instead of src/redirect.php.
>>>
>>>> It have been a nightmare since 1.4.19 was released knowing the version
>>>> we had in production had serious security problems and not been able to
>>>> upgrade.
>>>
>>>> We are very disappointed with the null respond from developers we have
>>>> had on this issue.
>>>
>>> I did notice that your report says you're using PHP 5.2.8, Chris
>>> Hoogendyk reported a similar issue with 1.4.18, and had several
>>> platforms upgraded. Those running PHP 4.x worked, whilst the one
>>> running 5.2 failed. I'm running 5.2.0 without issues, so I'm
>>> wondering if there might be additional changes that might cause some
>>> problems, or a link between browsers too.
>>>
>>> --
>>> Jonathan Angliss
>>> <jon@xxxxxxxxxxxxxxxx>
>>>
>>
>> So is this the final word on this problem? We are having the same problem
>> with our setup.
>
> I had not heard anything back from the original poster of the issue,
> so I'm not sure what I can say. As you're able to reproduce the same
> issue, can you provide us with some more details? Platform? Web
> server? PHP version? Plugin details?
>
> --
> Jonathan Angliss
> <jon@xxxxxxxxxxxxxxxx>
>
Sure. We're running a Debian Etch system here.
Apache2 version 2.2.3-4+etch8
Apache/2.2.3 (Debian) mod_auth_kerb/5.3 mod_fastcgi/2.4.2 PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2
Perl/v5.8.8 configured -- resuming normal operations
mysql-server-5.0 version 5.0.32-7etch10
postfix version 2.3.8-2+etch1
courier-authlib-mysql version 0.58-4+etch3
This system runs 2 gigs of memory.
Plugins:
1. vlogin
2. delete_move_next
3. calendar
4. message_details
5. newmail
6. sent_subfolders
7. translate
8. listcommands
9. compatibility
10. abook_import_export
11. view_as_html
12. timeout_user
13. quicksave
14. mail_fetch
15. twc_weather
16. unsafe_image_rules
17. preview_pane
18. cookie_warning
19. askuserinfo
20. folder_synch
21. squirrel_logger
22. vkeyboard
23. change_sqlpass
24. calendar_sql_backend
25. sasql
26. abook_group_pagination
27. add_address
28. select_range
29. compose_extras
30. filters
31. squirrelspell
32. dictionary
33. get_uuencode
34. custom_charset
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
