From: Ralf H. <Ral...@ch...> - 2006-02-03 09:37:00
|
* Rafael Martinez Guerrero <r.m...@us...>: > This is the same problem we had some months ago. We reported this to th= e > list in august 2005 and it take us very heavy debugging to find out the > cause of this. More information here: > http://sourceforge.net/mailarchive/message.php?msg_id=3D12715881 >=20 > This was an important security issue for us where privacy got > compromised, as you say, e-mails get another sender, but sometimes user= s > also get to see other users folders/e-mails. >=20 > Everytime you use squirrelmail, a random 32 character identification > code (SID) is generated in the server, saved as a cookie in the=20 > computer/browser of the user and used to identify the user in the > system. This SID is unique and it guarantees that only one user has > access to his/her e-mail account. >=20 > We discovered that some browsers change the value of the SID from a > random 32 character code to 'deleted'. The value 'deleted' is not rando= m > and if two or more users with this problem are using squierrelmail at > the same time, then privacy can be compromised. It is because this that > we do not allow computers/browsers with this problem to use webmail in > our system.=20 >=20 > We save sessions data in a postgresql database and have our own > sessions-handler. We patched our code so it refuses to use a SID with a > value like 'deleted' or not a 32 long char string and the problem is > gone. >=20 > We log all users with this problem and they get information about it. >=20 > Since october 2005, 320 out of 37.100 that have used our webmail > installation had this problem at least one time, this is around 0.86% o= f > all users that used our system. Not much, but for us, one is more than > enough when privacy gets compromised. It seems we're seeing the same. Would you care to share your patch that disallows the "(deleted)" SID? --=20 Ralf Hildebrandt (i.A. des IT-Zentrums) Ralf.Hildebrandt@charite.= de Charite - Universit=E4tsmedizin Berlin Tel. +49 (0)30-450 570= -155 Gemeinsame Einrichtung von FU- und HU-Berlin Fax. +49 (0)30-450 570-9= 62 IT-Zentrum Standort CBF send no mail to spamtrap@charite.= de |