6.0.0-git
2021-01-18

[#1022] Collapsing Horde sidebar results in empty cookie
Summary Collapsing Horde sidebar results in empty cookie
Queue Horde Base
Queue Version 3.0
Type Bug
State Resolved
Priority 2. Medium
Owners
Requester peter (at) prwdot (dot) org
Created 2004-12-27 (5866 days ago)
Due
Updated 2004-12-31 (5862 days ago)
Assigned
Resolved 2004-12-31 (5862 days ago)
Milestone
Patch No

History
2004-12-31 04:40:24 peter (at) prwdot (dot) org Comment #5 Reply to this comment
Yep, that fixed the empty cookie behavior. Thanks!
2004-12-31 04:30:50 Chuck Hagenbuch Comment #4
State ⇒ Resolved
Reply to this comment
Cookie values shouldn't be empty anymore; try this patch:



http://cvs.horde.org/diff.php/horde/templates/javascript/tree.js?r1=1.62&r2=1.62.2.1&ty=u
2004-12-30 02:26:38 peter (at) prwdot (dot) org Comment #3 Reply to this comment
Interestingly, I do *not* see this behavior with Safari 1.2.4 
(v125.12) on Mac OS X 10.3.7. Just Firefox and MSIE on Windows.
2004-12-27 16:03:27 peter (at) prwdot (dot) org Comment #2 Reply to this comment
P.S.



I have confirmed this behavior in:



User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; 
.NET CLR 1.0.3705; .NET CLR 1.1.4322) (aka MSIE 6 on Windows XP Pro SP2)



and



User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) 
Gecko/20041216 Firefox/1.0+ (aka Firefox 1.0+ nightly build on Windows 
XP Pro SP2)
2004-12-27 15:08:30 peter (at) prwdot (dot) org Comment #1
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 2. Medium
Summary ⇒ Collapsing Horde sidebar results in empty cookie
Queue ⇒ Horde Base
Reply to this comment
Summary:



After having expanded several nodes in the Horde sidebar, collapsing 
all of them causes an empty cookie to be sent to the browser. 
Server-side software such as the Apache mod_security module might 
detect this as an exploit of some sort, as seen in the mod_security 
audit report below:



========================================

Request: x.x.x.x - - [27/Dec/2004:09:42:27 --0500] "GET 
/services/portal/sidebar.php?httpclient=1 HTTP/1.1" 403 229

Handler: application/x-httpd-php

----------------------------------------

GET /services/portal/sidebar.php?httpclient=1 HTTP/1.1

Accept: */*

Accept-Language: en-us

Referer: http://horde.prwdot.org/services/portal/sidebar.php

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; 
.NET CLR 1.0.3705; .NET CLR 1.1.4322)

Host: x.y.z

Connection: Keep-Alive

Cookie: Horde=xxxxxxxxxxxxxxxxxxxxx; auth_key=xxxxxxxxxxxxxxxxxxxx; 
imp_key=xxxxxxxxxxxxxxxxx; horde_menu_expanded=

mod_security-message: Invalid cookie format: Cookie value is missing #2

mod_security-action: 403



HTTP/1.1 403 Forbidden

Content-Length: 229

Keep-Alive: timeout=30, max=59

Connection: Keep-Alive

Content-Type: text/html; charset=iso-8859-1

---------------------



As seen in the above report, the horde_menu_expanded cookie is empty. 
In this particular mod_security configuration, mod_security generates 
an error 403 denied.



A browser-side workaround is to simply re-expand one or more Horde 
menus, thus sending back a non-empty horde_menu_expanded cookie.



For a server-side code fix, perhaps change 
Horde_Tree.prototype._setCookie in horde/templates/javascript/tree.js 
so that an empty cookie will not be set in the browser, or so that it 
would set the cookie to expire in the past, thus removing the empty 
cookie at the browser's earliest convenience. I'm sure there is some 
other good way to get around this issue.

Saved Queries