On Thu, 18 Jun 2009, SquirrelMail Email List wrote:
>
>
> On Thu, 18 Jun 2009, Jonathan Angliss wrote:
>
>> On Wed, 17 Jun 2009 15:16:37 -0700 (PDT), SquirrelMail Email List
>> <sm@xxxxxxxx> wrote:
>>
>>>
>>>
>>> On Thu, 11 Jun 2009, Jonathan Angliss wrote:
>>>
>>>> On Mon, 08 Jun 2009 11:30:12 +0200, Rafael Martinez
>>>> <r.m.guerrero@xxxxxxxxxxx> wrote:
>>>>
>>>>> dwnek@xxxxxxxxxxxxxx wrote:
>>>>> [....]
>>>>>>
>>>>>> When I simply reconfigure httpd.conf to point to webmail-1.4.17 vice
>>>>>> webmail-1.4.19 and restart the httpd service all of the above problems go
>>>>>> away.
>>>>>>
>>>>>> I have not seen a response back to Rafael's email above yet and was
>>>>>> wondering what the status of this is and if there is something that can be
>>>>>> done to correct this. I am anxious to go back to 1.4.19 because of all of
>>>>>> the security fixes contained in 1.4.18 including the very important fix
>>>>>> regarding remote execution of server side code.
>>>>>>
>>>>>
>>>>> Hello
>>>>>
>>>>> We have found a way to avoid these problems.
>>>>>
>>>>> We have deleted this code in src/redirect.php:
>>>>>
>>>>> --------------------------------------------------------------------
>>>>> if (function_exists('session_regenerate_id')) {
>>>>>
>>>>> session_regenerate_id();
>>>>>
>>>>> // re-send session cookie so we get the right parameters on it
>>>>> // (such as HTTPOnly, if necessary - PHP doesn't do this itself
>>>>>
>>>>> sqsetcookie(session_name(),session_id(),false,$base_uri);
>>>>> }
>>>>> -------------------------------------------------------------------
>>>>>
>>>>> and this code in function/global.php:
>>>>>
>>>>> --------------------------------------------------------------------
>>>>>
>>>>> sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri . 'src');
>>>>> sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri .
>>>>> 'src/');
>>>>>
>>>>> --------------------------------------------------------------------
>>>>
>>>>>
>>>>> Maybe some of the developers can explain the implications of these changes.
>>>>
>>>> It was in response to a security report. We try to overwrite the
>>>> cookies that may already be set in the src/ directory to stop a hacker
>>>> from attempting to steal information.
>>>>
>>>>> With these changes, users logged in squirrelmail under the upgrade will
>>>>> get the "you must be logged in" error, but everything will work without
>>>>> problems when they logg in again after this.
>>>>
>>>> I've not seen the issue myself, but then cannot say I run on a large
>>>> variety of systems, so you may be coming across a combination we don't
>>>> know about.
>>>>
>>>> What are you settings for session.auto_start in your php.ini?
>>>>
>>>> It's probably possibly that we should be pushing the call to the
>>>> regenerate_id into src/login.php instead of src/redirect.php.
>>>>
>>>>> It have been a nightmare since 1.4.19 was released knowing the version
>>>>> we had in production had serious security problems and not been able to
>>>>> upgrade.
>>>>
>>>>> We are very disappointed with the null respond from developers we have
>>>>> had on this issue.
>>>>
>>>> I did notice that your report says you're using PHP 5.2.8, Chris
>>>> Hoogendyk reported a similar issue with 1.4.18, and had several
>>>> platforms upgraded. Those running PHP 4.x worked, whilst the one
>>>> running 5.2 failed. I'm running 5.2.0 without issues, so I'm
>>>> wondering if there might be additional changes that might cause some
>>>> problems, or a link between browsers too.
>>>>
>>>> --
>>>> Jonathan Angliss
>>>> <jon@xxxxxxxxxxxxxxxx>
>>>>
>>>
>>> So is this the final word on this problem? We are having the same problem
>>> with our setup.
>>
>> I had not heard anything back from the original poster of the issue,
>> so I'm not sure what I can say. As you're able to reproduce the same
>> issue, can you provide us with some more details? Platform? Web
>> server? PHP version? Plugin details?
>>
>> --
>> Jonathan Angliss
>> <jon@xxxxxxxxxxxxxxxx>
>>
>
> Sure. We're running a Debian Etch system here.
>
> Apache2 version 2.2.3-4+etch8
>
> Apache/2.2.3 (Debian) mod_auth_kerb/5.3 mod_fastcgi/2.4.2 PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2
> Perl/v5.8.8 configured -- resuming normal operations
>
> mysql-server-5.0 version 5.0.32-7etch10
> postfix version 2.3.8-2+etch1
> courier-authlib-mysql version 0.58-4+etch3
>
> This system runs 2 gigs of memory.
>
> Plugins:
> 1. vlogin
> 2. delete_move_next
> 3. calendar
> 4. message_details
> 5. newmail
> 6. sent_subfolders
> 7. translate
> 8. listcommands
> 9. compatibility
> 10. abook_import_export
> 11. view_as_html
> 12. timeout_user
> 13. quicksave
> 14. mail_fetch
> 15. twc_weather
> 16. unsafe_image_rules
> 17. preview_pane
> 18. cookie_warning
> 19. askuserinfo
> 20. folder_synch
> 21. squirrel_logger
> 22. vkeyboard
> 23. change_sqlpass
> 24. calendar_sql_backend
> 25. sasql
> 26. abook_group_pagination
> 27. add_address
> 28. select_range
> 29. compose_extras
> 30. filters
> 31. squirrelspell
> 32. dictionary
> 33. get_uuencode
> 34. custom_charset
>
I figured out the problem. I had at one point upgraded my php from version
4 to version 5. In version 4 I had set "session.auto_start = 0" but in
upgrade to verion 5 it got set to "session.auto_start = 1".
Squirrelmail version 1.4.17 worked fine with set on but 1.14.19 did not.
So set "session.auto_start = 1" in your php.ini file.
Ken
------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
