Re: [Phpgroupware-users] emails from other account to be seen

[Dirk H. Schulz]

Hi Chris,

--On Freitag, 24. September 2004 7:43 Uhr -0500 Chris Weiss 
<address@hidden> wrote:

> the emails are cached in the phpgw_anglemail table.  I'm sure not how
> possible it is to get something odd in data that would cause the sql
> query to grab records for a different user account.  Can you turn on
> sql logging/tracing in your database and see what the sql query is
> when the other users email are shown?  This will likely create a HUGE
> log file, so make sure you have plenty of space for it and don't leave
> it on forever.

There is 14 GB free at /var at the moment, so no problem, I think. And this 
phpgw instance is not too busy.

I could look it up of course, but could you simply tell me how to turn on 
sql logging/tracing in mysql? I am not too deep into mysql administration 
yet, and for now this would be faster (I think you simply shake it from 
your head, don't you).

Dirk


> On Fri, 24 Sep 2004 22:19:22 +1000, Dave Hall
> <address@hidden> wrote:
> > Hi Dirk,
> >
> > I thought a little more about this.
> >
> > Couple of questions to try to track it down:
> >
> > session type: get or cookies - (does the url contain kp3=uwq89qcj29h7f)
> >
> > do the effected user/s login to other accounts?
> >
> > accounts system used? sql or ldap?
> >
> > This info *might* help me track it down.  If it is a security problem, I
> > will ensure it is fixed quicky, but first we need to know where to go
> > hunting and what test env is needed.
> >
> > On Fri, 2004-09-24 at 22:11, Dirk H. Schulz wrote:
> > > Hi,
> > >
> > > --On Freitag, 24. September 2004 8:57 Uhr +0000 Guillaume Courtois
> > > <address@hidden> wrote:
> > >
> > > >> I am using 0.9.14.007 and have a security problem: Sometimes one
> > > >> user is shown some emails from the account of a different user -
> > > >> instead of his own emails. It is not reproducable, but it happens.
> > > >> I even managed to get a screenshot from that - so it is not a short
> > > >> time impression that can be wrong.
> > > >>
> > > >> Is this a known bug? Is it fixed in 0.9.16?
> > > >
> > > > Never heard of that ! I'm using phpGW for my everyday mail, and I've
> > > > never had this problem.
> > >
> > > The same with me. I never had this before, and I only have it in one
> > > certain instance of phpgroupware and with one pair of accounts. But
> > > since email app uses the courier imap server and since all is fine if
> > > I use this imap server via a classic MUA I think it must be a
> > > phpgroupware related problem.
> > >
> > > >
> > > > Maybe check the permissions of the mailbox files ? On what platform
> > > > do you have this ?
> > >
> > > Yes, I have checked these. But thinking of what I said above I think
> > > the problem cannot be with the underlying mail system. I think that
> > > phpgw somehow uses the login credentials of one account while I am
> > > logged in to the other account.
> > >
> > > That is really strange. But it is quite a security problem if it is not
> > > some kind of stupidity on my part.
> > >
> > > Does anyone have any idea on how to verify this?
> > >
> >
> > --
> > Dave Hall (aka skwashd)
> > API Coordinator
> > phpGroupWare
> >
> >
> >
> >
> > _______________________________________________
> > Phpgroupware-users mailing list
> > address@hidden
> > http://lists.gnu.org/mailman/listinfo/phpgroupware-users
>
>
> _______________________________________________
> Phpgroupware-users mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/phpgroupware-users