Re: [Phpgroupware-users] emails from other account to be seen

[Chris Weiss]

you can sent to me and/or dave

I don't recall how the mysql log file is laid out, but I'd really only
need the select querywit the where clause and not the results,
shouldn't have any personal data in the query.



On Tue, 05 Oct 2004 07:59:44 +0200, Dirk H. Schulz
<address@hidden> wrote:
> Hi Chris, hi Dave,
> 
> I did not have the time to come up with that earlier.
> 
> We have caught an occurance of the phenomenon in the night of 26th to 27th
> of September in the mysql log. If it is of any use I could send you the
> relevant part.
> 
> I do not like to send it to the list. So if you are interested please tell
> me where to send it.
> 
> Dirk
> 
> --On Freitag, 24. September 2004 7:43 Uhr -0500 Chris Weiss
> 
> 
> <address@hidden> wrote:
> 
> > the emails are cached in the phpgw_anglemail table.  I'm sure not how
> > possible it is to get something odd in data that would cause the sql
> > query to grab records for a different user account.  Can you turn on
> > sql logging/tracing in your database and see what the sql query is
> > when the other users email are shown?  This will likely create a HUGE
> > log file, so make sure you have plenty of space for it and don't leave
> > it on forever.
> >
> >
> > On Fri, 24 Sep 2004 22:19:22 +1000, Dave Hall
> > <address@hidden> wrote:
> >> Hi Dirk,
> >>
> >> I thought a little more about this.
> >>
> >> Couple of questions to try to track it down:
> >>
> >> session type: get or cookies - (does the url contain kp3=uwq89qcj29h7f)
> >>
> >> do the effected user/s login to other accounts?
> >>
> >> accounts system used? sql or ldap?
> >>
> >> This info *might* help me track it down.  If it is a security problem, I
> >> will ensure it is fixed quicky, but first we need to know where to go
> >> hunting and what test env is needed.
> >>
> >> On Fri, 2004-09-24 at 22:11, Dirk H. Schulz wrote:
> >> > Hi,
> >> >
> >> > --On Freitag, 24. September 2004 8:57 Uhr +0000 Guillaume Courtois
> >> > <address@hidden> wrote:
> >> >
> >> > >> I am using 0.9.14.007 and have a security problem: Sometimes one
> >> > >> user is shown some emails from the account of a different user -
> >> > >> instead of his own emails. It is not reproducable, but it happens.
> >> > >> I even managed to get a screenshot from that - so it is not a short
> >> > >> time impression that can be wrong.
> >> > >>
> >> > >> Is this a known bug? Is it fixed in 0.9.16?
> >> > >
> >> > > Never heard of that ! I'm using phpGW for my everyday mail, and I've
> >> > > never had this problem.
> >> >
> >> > The same with me. I never had this before, and I only have it in one
> >> > certain instance of phpgroupware and with one pair of accounts. But
> >> > since email app uses the courier imap server and since all is fine if
> >> > I use this imap server via a classic MUA I think it must be a
> >> > phpgroupware related problem.
> >> >
> >> > >
> >> > > Maybe check the permissions of the mailbox files ? On what platform
> >> > > do you have this ?
> >> >
> >> > Yes, I have checked these. But thinking of what I said above I think
> >> > the problem cannot be with the underlying mail system. I think that
> >> > phpgw somehow uses the login credentials of one account while I am
> >> > logged in to the other account.
> >> >
> >> > That is really strange. But it is quite a security problem if it is not
> >> > some kind of stupidity on my part.
> >> >
> >> > Does anyone have any idea on how to verify this?
> >> >
> >>
> >> --
> >> Dave Hall (aka skwashd)
> >> API Coordinator
> >> phpGroupWare
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> Phpgroupware-users mailing list
> >> address@hidden
> >> http://lists.gnu.org/mailman/listinfo/phpgroupware-users
> >>
> >>
> >
> >
> > _______________________________________________
> 
> 
> > Phpgroupware-users mailing list
> > address@hidden
> > http://lists.gnu.org/mailman/listinfo/phpgroupware-users
> 
>