[SM-USERS] Session Oddity (or Mail From the Wrong User)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

We've been using SquirrelMail for years and have by and large been super 
happy.  Recently we had what we feel is a very strange session issue that 
we think is likely related to PHP, but I wanted to toss it out here in 
case anyone else had seen this before.

We got a report the other day of someone sending a message from squirrel 
and when the message sent the from address was set to that of another one 
of our users.

For example:  bo...@do... logs into SM, composes a messages and 
sends it.  When the message is received by the recipient it reports the 
From: address as jo...@do....

Luckily we were also able to get the full headers for this message and the 
header showed that the SquirrelMail authenticated user was 
bo...@do..., but shows all the from info as jo...@do....

The mail logs also showed the message and reported all the activity as 
from jo...@do...

While researching this I found that this had happened at least one other 
time before, and had been happening someone consistently for this third 
user.  While troubleshooting they noticed their system clock was set to 
1970 for some reason.  They set their clock to the correct time and it has 
not happened since.

On a whim with this new case I had both bobuser and joeuser check their 
system clocks and sure enough, one was set to 2001 and one was set to 
1970.

Now, this seems Awfully strange to me and rather frustrating because I'd 
really rather not have people sending mail from the wrong user and of 
course I can't control what all of my users clocks are set to.

I'm suspecting it might be a session oddity and somehow when the date is 
way off it is confusing the session expiration.  However, this really 
doesn't seem to explain how they were getting someone else's prefs, at 
least partially.

Has anyone else seen or heard of anything like this?

At the time of the report we were running apache 2.2.2 (now 2.2.3 because 
of today's advisory), with php 5.1.3 and a patched version of SM 1.4.6 (I 
will be upgrading SM on Monday to the true 1.4.7 version).  All of this 
runs on FreeBSD 4.11.

Let me know what other information I can provide.

Thanks much.

Matt Ruzicka - Senior Systems Administrator
Front Range Internet, Inc.
ma...@fr... - (970) 212-0728