[Phpgroupware-users] admin authentication hole

[Patrick Price]

Chris Weiss wrote:
> Patrick Price (address@hidden) wrote*:
> > The other problem with the admin authentication - pages are cached:
> >
> > I can be in admin/config (or header admin) and select Logout.
> >
> > Going to /phpgroupware/setup gives me login screen.  It *appears* that I
> > am logged out..
> >
> > Click Back button on browser (IE 5.5) to the cached admin screen.
> >     
>
> IE's caching is way to agressive.
>     
This also happens in Netscape Communicator 4.76 when caching (compare document
to network) is set to "never"
    
> > Reload/Refresh page re-authenticates me without password and logs me
> > back in somehow (hidden form vars?).  If you don't hit refresh you don't
> > get reauthenticated - you'll see the page but cannot do anything without
> > login screen coming back up.
> >         
>
> When i hit "back" it tells me the page has expired.  Refresh and it asks me to
> repost the form (the login form) so in effect I am logging in again.
>         
See above re: your cache setting.  You should *never* be able to reauthenticate
by reposting a browser form.  This is not security, it's a hole.
> So either I am not experiencing the same thing as you, or you have a great
> missunderstanding about how web based apps and browsers work.  It's really rather
> simple, they do what you tell them to.  You tell it to repost a form it's gonna do
> it.  On the server there is no way at all of telling weather you clicked submit or
> told IE to go ahead and repost through a refresh, it all looks the same.
>           
Right, tell me I don't understand and blame a browser version without even
checking your own browser by changing a setting.  Is this too much trouble
for you to do?    I do understand that when a person clicks Logout, they
should be logged out, and there should be no way in hell a person can walk
up to my browser and get back in and change configuration settings for an
application.   Or to have two passwords which supposedly are protecting data
when they do no such thing.  I suppose I will log this to BugTraq since posting
this here is obviously being ignored, and then you can tell the world how
they don't understand browsers and everything will be OK from your perspective.
> So maybe there needs to be a blurb on the login screen wanring people to not use
> back buttons?  In general back buttons are very bad in web apps.  they are not to
> be used unless there is no other way.  I learned this many years ago and I guess
> many of us take this for granted.
>             
How about a blurb not to use phpGroupWare until it's obvious security holes
are fixed?   Or a "please, don't hack this product, it has security holes
but please don't try to break it."  That should do it.     :-)
            
Patrick Price
Senior UNIX Systems Administrator
West Virginia University