| Summary | Horde allows unauthenticated usere |
| Queue | Horde Groupware |
| Queue Version | 5.2.22 |
| Type | Bug |
| State | Not A Bug |
| Priority | 3. High |
| Owners | |
| Requester | horde_bugs (at) arpnet (dot) net |
| Created | 02/14/2022 (1244 days ago) |
| Due | |
| Updated | 02/17/2022 (1241 days ago) |
| Assigned | |
| Resolved | 02/17/2022 (1241 days ago) |
| Github Issue Link | |
| Github Pull Request | |
| Milestone | |
| Patch | No |
State ⇒ Not A Bug
Please use the mailing lists to ask for support.
http://www.horde.org/mail/ contains a list of all available mailing lists.
State ⇒ Unconfirmed
Priority ⇒ 3. High
Type ⇒ Bug
Summary ⇒ Horde allows unauthenticated usere
Queue ⇒ Horde Groupware
Milestone ⇒
Patch ⇒ No
to authenticate users in a MySQL database. The users are added into
the database with postfixadmin.
if a User was to log into Horde with a legitimate UserName and an
incorrect password, Horde would let them through, allowing access to
the Contact, Calendar etc but not mail. however, imp throws the error:
User is not authorized for Mail (Host: ***.***.***.****). Also, if the
legitimate username and wrong password is an admin, horde allows
access to the Administration Configuration.
if the user enters the proper password, everything is fine and no errors.
Is this a bug or a misconfiguration? How do I resolve this?
<?php
/* CONFIG START. DO NOT CHANGE ANYTHING IN OR AFTER THIS LINE. */
$conf['vhosts'] = false;
$conf['debug_level'] = E_ALL & ~E_NOTICE;
$conf['max_exec_time'] = 0;
$conf['compress_pages'] = true;
$conf['secret_key'] = '**';
$conf['umask'] = 077;
$conf['testdisable'] = true;
$conf['use_ssl'] = 2;
$conf['server']['name'] = $_SERVER['SERVER_NAME'];
$conf['urls']['token_lifetime'] = 30;
$conf['urls']['hmac_lifetime'] = 30;
$conf['urls']['pretty'] = false;
$conf['safe_ips'] = array();
$conf['session']['name'] = 'Horde';
$conf['session']['use_only_cookies'] = true;
$conf['session']['timeout'] = 0;
$conf['session']['cache_limiter'] = 'nocache';
$conf['session']['max_time'] = 72000;
$conf['cookie']['domain'] = $_SERVER['SERVER_NAME'];
$conf['cookie']['path'] = '/';
$conf['sql']['username'] = '**';
$conf['sql']['password'] = '**';
$conf['sql']['hostspec'] = 'localhost';
$conf['sql']['port'] = 3306;
$conf['sql']['protocol'] = 'tcp';
$conf['sql']['database'] = 'horde';
$conf['sql']['charset'] = 'utf-8';
$conf['sql']['ssl'] = false;
$conf['sql']['splitread'] = false;
$conf['sql']['logqueries'] = false;
$conf['sql']['phptype'] = 'mysql';
$conf['nosql']['phptype'] = false;
$conf['ldap']['useldap'] = false;
$conf['auth']['admins'] = array('**');
$conf['auth']['checkip'] = true;
$conf['auth']['checkbrowser'] = true;
$conf['auth']['resetpassword'] = true;
$conf['auth']['alternate_login'] = false;
$conf['auth']['redirect_on_logout'] = false;
$conf['auth']['list_users'] = 'list';
$conf['auth']['params']['phptype'] = 'mysql';
$conf['auth']['params']['hostspec'] = 'localhost';
$conf['auth']['params']['protocol'] = 'tcp';
$conf['auth']['params']['username'] = 'postfix';
$conf['auth']['params']['password'] = '**';
$conf['auth']['params']['database'] = 'postfix';
$conf['auth']['params']['query_auth'] = 'SELECT password FROM mailbox
WHERE username = \L';
$conf['auth']['params']['query_add'] = 'INSERT INTO mailbox (domain,
username , password, home) VALUES ( SUBSTRING_INDEX(\L, \'@\', -1),
\L, \P, \'/usr/local/virtual/SUBSTRING_INDEX(\L, \'@\', -1)/\L\')';
$conf['auth']['params']['query_getpw'] = 'SELECT password FROM mailbox
WHERE username = \L';
$conf['auth']['params']['query_update'] = '';
$conf['auth']['params']['query_resetpassword'] = 'UPDATE mailbox SET
password = \P WHERE username = \L AND password = \P';
$conf['auth']['params']['query_remove'] = 'DELETE FROM mailbox WHERE
username = \L AND domain = SUBSTRING_INDEX(\L, \'@\', -1)';
$conf['auth']['params']['query_list'] = 'SELECT * FROM mailbox';
$conf['auth']['params']['query_exists'] = 'SELECT 1 FROM mailbox WHERE
SUBSTRING_INDEX(\L, \'@\', 1) AND domain = SUBSTRING_INDEX(\L, \'@\',
-1)';
$conf['auth']['params']['encryption'] = 'crypt-md5';
$conf['auth']['params']['show_encryption'] = true;
$conf['auth']['driver'] = 'customsql';
$conf['auth']['params']['count_bad_logins'] = true;
$conf['auth']['params']['login_block'] = true;
$conf['auth']['params']['login_block_count'] = 3;
$conf['auth']['params']['login_block_time'] = 15;
$conf['signup']['params']['driverconfig'] = 'horde';
$conf['signup']['driver'] = 'Sql';
$conf['signup']['email'] = '**';
$conf['signup']['approve'] = true;
$conf['signup']['allow'] = true;
$conf['log']['priority'] = 'INFO';
$conf['log']['ident'] = 'HORDE';
$conf['log']['name'] = LOG_USER;
$conf['log']['type'] = 'syslog';
$conf['log']['enabled'] = true;
$conf['log_accesskeys'] = false;
$conf['prefs']['maxsize'] = 65535;
$conf['prefs']['params']['driverconfig'] = 'horde';
$conf['prefs']['driver'] = 'Sql';
$conf['alarms']['params']['driverconfig'] = 'horde';
$conf['alarms']['params']['ttl'] = 300;
$conf['alarms']['driver'] = 'Sql';
$conf['group']['params']['driverconfig'] = 'horde';
$conf['group']['driver'] = 'Sql';
$conf['perms']['driverconfig'] = 'horde';
$conf['perms']['driver'] = 'Sql';
$conf['share']['no_sharing'] = false;
$conf['share']['auto_create'] = true;
$conf['share']['world'] = true;
$conf['share']['any_group'] = false;
$conf['share']['hidden'] = false;
$conf['share']['cache'] = false;
$conf['share']['driver'] = 'Sqlng';
$conf['cache']['default_lifetime'] = 86400;
$conf['cache']['params']['sub'] = 0;
$conf['cache']['driver'] = 'File';
$conf['cache']['use_memorycache'] = '';
$conf['cachecssparams']['url_version_param'] = true;
$conf['cachecss'] = false;
$conf['cachejsparams']['url_version_param'] = true;
$conf['cachejs'] = false;
$conf['cachethemes'] = false;
$conf['lock']['params']['driverconfig'] = 'horde';
$conf['lock']['driver'] = 'Sql';
$conf['token']['params']['driverconfig'] = 'horde';
$conf['token']['driver'] = 'Sql';
$conf['history']['params']['driverconfig'] = 'horde';
$conf['history']['driver'] = 'Sql';
$conf['davstorage']['params']['driverconfig'] = 'horde';
$conf['davstorage']['driver'] = 'Sql';
$conf['mailer']['params']['host'] = '**';
$conf['mailer']['params']['port'] = 25;
$conf['mailer']['params']['secure'] = 'tls';
$conf['mailer']['params']['localhost'] = '**';
$conf['mailer']['params']['auth'] = false;
$conf['mailer']['params']['lmtp'] = false;
$conf['mailer']['type'] = 'smtp';
$conf['vfs']['params']['driverconfig'] = 'horde';
$conf['vfs']['type'] = 'Sql';
$conf['sessionhandler']['type'] = 'Builtin';
$conf['sessionhandler']['hashtable'] = false;
$conf['spell']['params']['path'] = '/usr/local/bin/aspell';
$conf['spell']['driver'] = 'aspell';
$conf['gnupg']['path'] = '/usr/local/bin/gpg';
$conf['gnupg']['keyserver'] = array('pool.sks-keyservers.net',
'subkeys.pgp.net', 'pgp.mit.edu');
$conf['gnupg']['timeout'] = 10;
$conf['nobase64_img'] = false;
$conf['image']['convert'] = '/usr/local/bin/convert';
$conf['image']['identify'] = '/usr/local/bin/identify';
$conf['image']['driver'] = 'Im';
$conf['exif']['driver'] = 'Bundled';
$conf['timezone']['location'] = 'ftp://ftp.iana.org/tz/tzdata-latest.tar.gz';
$conf['problems']['email'] = '**';
$conf['problems']['maildomain'] = '**';
$conf['problems']['tickets'] = false;
$conf['problems']['attachments'] = true;
$conf['menu']['links']['help'] = 'all';
$conf['menu']['links']['prefs'] = 'authenticated';
$conf['menu']['links']['problem'] = 'never';
$conf['menu']['links']['login'] = 'all';
$conf['menu']['links']['logout'] = 'authenticated';
$conf['portal']['fixed_blocks'] = array('horde:horde_Block_Cloud',
'horde:horde_Block_Feed', 'horde:horde_Block_Iframe',
'horde:horde_Block_Moon', 'horde:horde_Block_Sunrise',
'horde:horde_Block_Time', 'horde:horde_Block_Vatid',
'horde:horde_Block_Account', 'ingo:ingo_Block_Overview',
'kronolith:kronolith_Block_Monthlist',
'kronolith:kronolith_Block_Prevmonthlist',
'kronolith:kronolith_Block_Summary',
'kronolith:kronolith_Block_Month', 'mnemo:mnemo_Block_Summary',
'mnemo:mnemo_Block_Note', 'nag:nag_Block_Summary',
'trean:trean_Block_Mostclicked', 'trean:trean_Block_Bookmarks',
'turba:turba_Block_Minisearch');
$conf['accounts']['driver'] = 'null';
$conf['user']['verify_from_addr'] = true;
$conf['user']['select_view'] = true;
$conf['facebook']['enabled'] = false;
$conf['twitter']['enabled'] = false;
$conf['urlshortener'] = false;
$conf['weather']['provider'] = false;
$conf['imap']['enabled'] = false;
$conf['imsp']['enabled'] = false;
$conf['kolab']['enabled'] = false;
$conf['hashtable']['driver'] = 'none';
$conf['activesync']['enabled'] = false;
/* CONFIG END. DO NOT CHANGE ANYTHING IN OR BEFORE THIS LINE. */
database tables:
+-----------------------+
| Tables_in_postfix |
+-----------------------+
| admin |
| alias |
| alias_domain |
| config |
| domain |
| domain_admins |
| fetchmail |
| log |
| mailbox |
| quota |
| quota2 |
| vacation |
| vacation_notification |
+-----------------------+
13 rows in set (0.00 sec)
+-----------------+--------------+------+-----+---------------------+-------+
| Field | Type | Null | Key | Default | Extra |
+-----------------+--------------+------+-----+---------------------+-------+
| username | varchar(255) | NO | PRI | NULL | |
| password | varchar(255) | NO | | NULL | |
| name | varchar(255) | NO | | NULL | |
| maildir | varchar(255) | NO | | NULL | |
| quota | bigint(20) | NO | | 0 | |
| local_part | varchar(255) | NO | | NULL | |
| domain | varchar(255) | NO | MUL | NULL | |
| created | datetime | NO | | 2000-01-01 00:00:00 | |
| modified | datetime | NO | | 2000-01-01 00:00:00 | |
| active | tinyint(1) | NO | | 1 | |
| phone | varchar(30) | NO | | | |
| email_other | varchar(255) | NO | | | |
| token | varchar(255) | NO | | | |
| token_validity | datetime | NO | | 2000-01-01 00:00:00 | |
| password_expiry | datetime | NO | | 2000-01-01 00:00:00 | |
+-----------------+--------------+------+-----+---------------------+-------+
15 rows in set (0.00 sec)