Re: [Phpgroupware-users] emails from other account to be seen

[Dave Hall]

Hi Dirk,

I thought a little more about this.

Couple of questions to try to track it down:

session type: get or cookies - (does the url contain kp3=uwq89qcj29h7f)

do the effected user/s login to other accounts?

accounts system used? sql or ldap?

This info *might* help me track it down.  If it is a security problem, I
will ensure it is fixed quicky, but first we need to know where to go
hunting and what test env is needed.

On Fri, 2004-09-24 at 22:11, Dirk H. Schulz wrote:
> Hi,
> 
> --On Freitag, 24. September 2004 8:57 Uhr +0000 Guillaume Courtois 
> <address@hidden> wrote:
> 
> >> I am using 0.9.14.007 and have a security problem: Sometimes one user is
> >> shown some emails from the account of a different user - instead of his
> >> own emails. It is not reproducable, but it happens. I even managed to
> >> get a screenshot from that - so it is not a short time impression that
> >> can be wrong.
> >>
> >> Is this a known bug? Is it fixed in 0.9.16?
> >
> > Never heard of that ! I'm using phpGW for my everyday mail, and I've
> > never had this problem.
> 
> The same with me. I never had this before, and I only have it in one 
> certain instance of phpgroupware and with one pair of accounts. But since 
> email app uses the courier imap server and since all is fine if I use this 
> imap server via a classic MUA I think it must be a phpgroupware related 
> problem.
> 
> >
> > Maybe check the permissions of the mailbox files ? On what platform do you
> > have this ?
> 
> Yes, I have checked these. But thinking of what I said above I think the 
> problem cannot be with the underlying mail system. I think that phpgw 
> somehow uses the login credentials of one account while I am logged in to 
> the other account.
> 
> That is really strange. But it is quite a security problem if it is not 
> some kind of stupidity on my part.
> 
> Does anyone have any idea on how to verify this?
> 

-- 
Dave Hall (aka skwashd)
API Coordinator
phpGroupWare