6.0.0-beta1
7/11/25

[#15095] Horde allows unauthenticated usere
Summary Horde allows unauthenticated usere
Queue Horde Groupware
Queue Version 5.2.22
Type Bug
State Not A Bug
Priority 3. High
Owners
Requester horde_bugs (at) arpnet (dot) net
Created 02/14/2022 (1243 days ago)
Due
Updated 02/17/2022 (1240 days ago)
Assigned
Resolved 02/17/2022 (1240 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch No

History
02/17/2022 09:49:42 AM Jan Schneider Comment #2
State ⇒ Not A Bug
Reply to this comment
This is a support question, not a bug report.

Please use the mailing lists to ask for support.

http://www.horde.org/mail/ contains a list of all available mailing lists.
02/14/2022 07:33:19 AM horde_bugs (at) arpnet (dot) net Comment #1
State ⇒ Unconfirmed
Priority ⇒ 3. High
Type ⇒ Bug
Summary ⇒ Horde allows unauthenticated usere
Queue ⇒ Horde Groupware
Milestone ⇒
Patch ⇒ No
Reply to this comment
I have a Horde install that on FreeBSD/Dovecot/postfix, it is supposed 
to authenticate users in a MySQL database. The users are added into 
the database with postfixadmin.
if a User was to log into Horde with a legitimate UserName and an 
incorrect password, Horde would let them through, allowing access to 
the Contact, Calendar etc but not mail. however, imp throws the error: 
User is not authorized for Mail (Host: ***.***.***.****). Also, if the 
legitimate username and wrong password is an admin, horde allows 
access to the Administration Configuration.

if the user enters the proper password, everything is fine and no errors.

Is this a bug or a misconfiguration? How do I resolve this?




<?php
/* CONFIG START. DO NOT CHANGE ANYTHING IN OR AFTER THIS LINE. */
$conf['vhosts'] = false;
$conf['debug_level'] = E_ALL & ~E_NOTICE;
$conf['max_exec_time'] = 0;
$conf['compress_pages'] = true;
$conf['secret_key'] = '**';
$conf['umask'] = 077;
$conf['testdisable'] = true;
$conf['use_ssl'] = 2;
$conf['server']['name'] = $_SERVER['SERVER_NAME'];
$conf['urls']['token_lifetime'] = 30;
$conf['urls']['hmac_lifetime'] = 30;
$conf['urls']['pretty'] = false;
$conf['safe_ips'] = array();
$conf['session']['name'] = 'Horde';
$conf['session']['use_only_cookies'] = true;
$conf['session']['timeout'] = 0;
$conf['session']['cache_limiter'] = 'nocache';
$conf['session']['max_time'] = 72000;
$conf['cookie']['domain'] = $_SERVER['SERVER_NAME'];
$conf['cookie']['path'] = '/';
$conf['sql']['username'] = '**';
$conf['sql']['password'] = '**';
$conf['sql']['hostspec'] = 'localhost';
$conf['sql']['port'] = 3306;
$conf['sql']['protocol'] = 'tcp';
$conf['sql']['database'] = 'horde';
$conf['sql']['charset'] = 'utf-8';
$conf['sql']['ssl'] = false;
$conf['sql']['splitread'] = false;
$conf['sql']['logqueries'] = false;
$conf['sql']['phptype'] = 'mysql';
$conf['nosql']['phptype'] = false;
$conf['ldap']['useldap'] = false;
$conf['auth']['admins'] = array('**');
$conf['auth']['checkip'] = true;
$conf['auth']['checkbrowser'] = true;
$conf['auth']['resetpassword'] = true;
$conf['auth']['alternate_login'] = false;
$conf['auth']['redirect_on_logout'] = false;
$conf['auth']['list_users'] = 'list';
$conf['auth']['params']['phptype'] = 'mysql';
$conf['auth']['params']['hostspec'] = 'localhost';
$conf['auth']['params']['protocol'] = 'tcp';
$conf['auth']['params']['username'] = 'postfix';
$conf['auth']['params']['password'] = '**';
$conf['auth']['params']['database'] = 'postfix';
$conf['auth']['params']['query_auth'] = 'SELECT password FROM mailbox 
WHERE username = \L';
$conf['auth']['params']['query_add'] = 'INSERT INTO mailbox (domain, 
username , password, home) VALUES ( SUBSTRING_INDEX(\L, \'@\', -1), 
\L, \P, \'/usr/local/virtual/SUBSTRING_INDEX(\L, \'@\', -1)/\L\')';
$conf['auth']['params']['query_getpw'] = 'SELECT password FROM mailbox 
WHERE username = \L';
$conf['auth']['params']['query_update'] = '';
$conf['auth']['params']['query_resetpassword'] = 'UPDATE mailbox SET 
password = \P WHERE username = \L AND password = \P';
$conf['auth']['params']['query_remove'] = 'DELETE FROM mailbox WHERE 
username = \L AND domain = SUBSTRING_INDEX(\L, \'@\', -1)';
$conf['auth']['params']['query_list'] = 'SELECT * FROM mailbox';
$conf['auth']['params']['query_exists'] = 'SELECT 1 FROM mailbox WHERE 
SUBSTRING_INDEX(\L, \'@\', 1) AND domain = SUBSTRING_INDEX(\L, \'@\', 
-1)';
$conf['auth']['params']['encryption'] = 'crypt-md5';
$conf['auth']['params']['show_encryption'] = true;
$conf['auth']['driver'] = 'customsql';
$conf['auth']['params']['count_bad_logins'] = true;
$conf['auth']['params']['login_block'] = true;
$conf['auth']['params']['login_block_count'] = 3;
$conf['auth']['params']['login_block_time'] = 15;
$conf['signup']['params']['driverconfig'] = 'horde';
$conf['signup']['driver'] = 'Sql';
$conf['signup']['email'] = '**';
$conf['signup']['approve'] = true;
$conf['signup']['allow'] = true;
$conf['log']['priority'] = 'INFO';
$conf['log']['ident'] = 'HORDE';
$conf['log']['name'] = LOG_USER;
$conf['log']['type'] = 'syslog';
$conf['log']['enabled'] = true;
$conf['log_accesskeys'] = false;
$conf['prefs']['maxsize'] = 65535;
$conf['prefs']['params']['driverconfig'] = 'horde';
$conf['prefs']['driver'] = 'Sql';
$conf['alarms']['params']['driverconfig'] = 'horde';
$conf['alarms']['params']['ttl'] = 300;
$conf['alarms']['driver'] = 'Sql';
$conf['group']['params']['driverconfig'] = 'horde';
$conf['group']['driver'] = 'Sql';
$conf['perms']['driverconfig'] = 'horde';
$conf['perms']['driver'] = 'Sql';
$conf['share']['no_sharing'] = false;
$conf['share']['auto_create'] = true;
$conf['share']['world'] = true;
$conf['share']['any_group'] = false;
$conf['share']['hidden'] = false;
$conf['share']['cache'] = false;
$conf['share']['driver'] = 'Sqlng';
$conf['cache']['default_lifetime'] = 86400;
$conf['cache']['params']['sub'] = 0;
$conf['cache']['driver'] = 'File';
$conf['cache']['use_memorycache'] = '';
$conf['cachecssparams']['url_version_param'] = true;
$conf['cachecss'] = false;
$conf['cachejsparams']['url_version_param'] = true;
$conf['cachejs'] = false;
$conf['cachethemes'] = false;
$conf['lock']['params']['driverconfig'] = 'horde';
$conf['lock']['driver'] = 'Sql';
$conf['token']['params']['driverconfig'] = 'horde';
$conf['token']['driver'] = 'Sql';
$conf['history']['params']['driverconfig'] = 'horde';
$conf['history']['driver'] = 'Sql';
$conf['davstorage']['params']['driverconfig'] = 'horde';
$conf['davstorage']['driver'] = 'Sql';
$conf['mailer']['params']['host'] = '**';
$conf['mailer']['params']['port'] = 25;
$conf['mailer']['params']['secure'] = 'tls';
$conf['mailer']['params']['localhost'] = '**';
$conf['mailer']['params']['auth'] = false;
$conf['mailer']['params']['lmtp'] = false;
$conf['mailer']['type'] = 'smtp';
$conf['vfs']['params']['driverconfig'] = 'horde';
$conf['vfs']['type'] = 'Sql';
$conf['sessionhandler']['type'] = 'Builtin';
$conf['sessionhandler']['hashtable'] = false;
$conf['spell']['params']['path'] = '/usr/local/bin/aspell';
$conf['spell']['driver'] = 'aspell';
$conf['gnupg']['path'] = '/usr/local/bin/gpg';
$conf['gnupg']['keyserver'] = array('pool.sks-keyservers.net', 
'subkeys.pgp.net', 'pgp.mit.edu');
$conf['gnupg']['timeout'] = 10;
$conf['nobase64_img'] = false;
$conf['image']['convert'] = '/usr/local/bin/convert';
$conf['image']['identify'] = '/usr/local/bin/identify';
$conf['image']['driver'] = 'Im';
$conf['exif']['driver'] = 'Bundled';
$conf['timezone']['location'] = 'ftp://ftp.iana.org/tz/tzdata-latest.tar.gz';
$conf['problems']['email'] = '**';
$conf['problems']['maildomain'] = '**';
$conf['problems']['tickets'] = false;
$conf['problems']['attachments'] = true;
$conf['menu']['links']['help'] = 'all';
$conf['menu']['links']['prefs'] = 'authenticated';
$conf['menu']['links']['problem'] = 'never';
$conf['menu']['links']['login'] = 'all';
$conf['menu']['links']['logout'] = 'authenticated';
$conf['portal']['fixed_blocks'] = array('horde:horde_Block_Cloud', 
'horde:horde_Block_Feed', 'horde:horde_Block_Iframe', 
'horde:horde_Block_Moon', 'horde:horde_Block_Sunrise', 
'horde:horde_Block_Time', 'horde:horde_Block_Vatid', 
'horde:horde_Block_Account', 'ingo:ingo_Block_Overview', 
'kronolith:kronolith_Block_Monthlist', 
'kronolith:kronolith_Block_Prevmonthlist', 
'kronolith:kronolith_Block_Summary', 
'kronolith:kronolith_Block_Month', 'mnemo:mnemo_Block_Summary', 
'mnemo:mnemo_Block_Note', 'nag:nag_Block_Summary', 
'trean:trean_Block_Mostclicked', 'trean:trean_Block_Bookmarks', 
'turba:turba_Block_Minisearch');
$conf['accounts']['driver'] = 'null';
$conf['user']['verify_from_addr'] = true;
$conf['user']['select_view'] = true;
$conf['facebook']['enabled'] = false;
$conf['twitter']['enabled'] = false;
$conf['urlshortener'] = false;
$conf['weather']['provider'] = false;
$conf['imap']['enabled'] = false;
$conf['imsp']['enabled'] = false;
$conf['kolab']['enabled'] = false;
$conf['hashtable']['driver'] = 'none';
$conf['activesync']['enabled'] = false;
/* CONFIG END. DO NOT CHANGE ANYTHING IN OR BEFORE THIS LINE. */

database tables:

+-----------------------+
| Tables_in_postfix     |
+-----------------------+
| admin                 |
| alias                 |
| alias_domain          |
| config                |
| domain                |
| domain_admins         |
| fetchmail             |
| log                   |
| mailbox               |
| quota                 |
| quota2                |
| vacation              |
| vacation_notification |
+-----------------------+
13 rows in set (0.00 sec)


+-----------------+--------------+------+-----+---------------------+-------+
| Field           | Type         | Null | Key | Default             | Extra |
+-----------------+--------------+------+-----+---------------------+-------+
| username        | varchar(255) | NO   | PRI | NULL                |       |
| password        | varchar(255) | NO   |     | NULL                |       |
| name            | varchar(255) | NO   |     | NULL                |       |
| maildir         | varchar(255) | NO   |     | NULL                |       |
| quota           | bigint(20)   | NO   |     | 0                   |       |
| local_part      | varchar(255) | NO   |     | NULL                |       |
| domain          | varchar(255) | NO   | MUL | NULL                |       |
| created         | datetime     | NO   |     | 2000-01-01 00:00:00 |       |
| modified        | datetime     | NO   |     | 2000-01-01 00:00:00 |       |
| active          | tinyint(1)   | NO   |     | 1                   |       |
| phone           | varchar(30)  | NO   |     |                     |       |
| email_other     | varchar(255) | NO   |     |                     |       |
| token           | varchar(255) | NO   |     |                     |       |
| token_validity  | datetime     | NO   |     | 2000-01-01 00:00:00 |       |
| password_expiry | datetime     | NO   |     | 2000-01-01 00:00:00 |       |
+-----------------+--------------+------+-----+---------------------+-------+
15 rows in set (0.00 sec)

Saved Queries