Re: [Phpgroupware-users] emails from other account to be seen

[Chris Weiss]

the emails are cached in the phpgw_anglemail table.  I'm sure not how
possible it is to get something odd in data that would cause the sql
query to grab records for a different user account.  Can you turn on
sql logging/tracing in your database and see what the sql query is
when the other users email are shown?  This will likely create a HUGE
log file, so make sure you have plenty of space for it and don't leave
it on forever.


On Fri, 24 Sep 2004 22:19:22 +1000, Dave Hall
<address@hidden> wrote:
> Hi Dirk,
> 
> I thought a little more about this.
> 
> Couple of questions to try to track it down:
> 
> session type: get or cookies - (does the url contain kp3=uwq89qcj29h7f)
> 
> do the effected user/s login to other accounts?
> 
> accounts system used? sql or ldap?
> 
> This info *might* help me track it down.  If it is a security problem, I
> will ensure it is fixed quicky, but first we need to know where to go
> hunting and what test env is needed.
> 
> On Fri, 2004-09-24 at 22:11, Dirk H. Schulz wrote:
> > Hi,
> >
> > --On Freitag, 24. September 2004 8:57 Uhr +0000 Guillaume Courtois
> > <address@hidden> wrote:
> >
> > >> I am using 0.9.14.007 and have a security problem: Sometimes one user is
> > >> shown some emails from the account of a different user - instead of his
> > >> own emails. It is not reproducable, but it happens. I even managed to
> > >> get a screenshot from that - so it is not a short time impression that
> > >> can be wrong.
> > >>
> > >> Is this a known bug? Is it fixed in 0.9.16?
> > >
> > > Never heard of that ! I'm using phpGW for my everyday mail, and I've
> > > never had this problem.
> >
> > The same with me. I never had this before, and I only have it in one
> > certain instance of phpgroupware and with one pair of accounts. But since
> > email app uses the courier imap server and since all is fine if I use this
> > imap server via a classic MUA I think it must be a phpgroupware related
> > problem.
> >
> > >
> > > Maybe check the permissions of the mailbox files ? On what platform do you
> > > have this ?
> >
> > Yes, I have checked these. But thinking of what I said above I think the
> > problem cannot be with the underlying mail system. I think that phpgw
> > somehow uses the login credentials of one account while I am logged in to
> > the other account.
> >
> > That is really strange. But it is quite a security problem if it is not
> > some kind of stupidity on my part.
> >
> > Does anyone have any idea on how to verify this?
> >
> 
> --
> Dave Hall (aka skwashd)
> API Coordinator
> phpGroupWare
> 
> 
> 
> 
> _______________________________________________
> Phpgroupware-users mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/phpgroupware-users
> 
>