I'm sorry, I don't follow you at all.

Yes I know, but it's not properly speaking a denial of service. Should 
be rare.



I'll be obliged to leave with my patch and some others colleagues 
without tokens! (bad idea..) Even if a CAS SSO server is able to know 
which service has been used, it will have no idea of the token to 
logout a user. We can just say: for that service, use that URL.



There will be a better patch to furnish a list of servers which are 
autorized to logout whithout token. What do you think about?



Dom

By doing this your users can be logged out by someone who includes an 
image in an email pointing to a logout link. It's a denial of service 
type of attack.

We are using a CAS SSO. To logout all user applications, we produce 
page with iframes pointing to logout URLs



As there is now a token for logout action, we can't log out users.



I patched login.php:



Shall we consider that we must protect the logout form. What can be an 
attack using logout form? For me: nothing..



root@ent1:/var/www/perso# diff -u -p horde/login.php.org horde/login.php

--- horde/login.php.org 2009-06-08 16:27:27.000000000 +0200

+++ horde/login.php     2009-06-08 16:26:51.000000000 +0200

@@ -60,12 +60,6 @@ if (($pos = strrpos($url_in, '#')) !== f

  }



  if ($logout_reason) {

-    if (Auth::getAuth()) {

-        $result = Horde::checkRequestToken('horde.logout', 
Util::getFormData('horde_logout_token'));

-        if (is_a($result, 'PEAR_Error')) {

-            exit($result->getMessage());

-        }

-    }



      $login_screen = $auth->getLoginScreen();

      if (Util::getFormData('nosidebar') &&