6.0.0-git
2021-01-18

[#5696] https login problem
Summary https login problem
Queue Horde Base
Queue Version 3.2-ALPHA
Type Bug
State Resolved
Priority 2. Medium
Owners chuck (at) horde (dot) org
Requester horde (at) x-rayman (dot) co (dot) uk
Created 2007-09-05 (4884 days ago)
Due
Updated 2007-09-06 (4883 days ago)
Assigned 2007-09-06 (4883 days ago)
Resolved 2007-09-06 (4883 days ago)
Milestone
Patch No

History
2007-09-06 14:04:27 Chuck Hagenbuch State ⇒ Resolved
 
2007-09-06 06:29:29 horde (at) x-rayman (dot) co (dot) uk Comment #9 Reply to this comment
Please replace this file and re-test (after clearing your browser cache):
http://cvs.horde.org/co.php?r=1.9&f=horde%2Fjs%2Fenter_key_trap.js
File replaced, cache cleared, and all working A-OK!



Yep fixed in Linux, firefox and opera will try windows later today but 
I think you've cracked it.



Cheers
2007-09-06 03:59:46 Matt Selsky Comment #8 Reply to this comment
Here are the relevant rules from modsecurity:



SecRule RESPONSE_BODY 
"(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_st\

art|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b" 
\

      "ctl:auditLogParts=+E,log,auditlog,msg:'PHP source code 
leakage',,id:'970015',severity:'4'"

SecRule RESPONSE_BODY "<\?(?!xml)" \

          "chain,ctl:auditLogParts=+E,log,auditlog,msg:'PHP source 
code leakage',,id:'970902',severity:'4'"
2007-09-06 03:50:08 Chuck Hagenbuch State ⇒ Feedback
 
2007-09-06 03:50:01 Chuck Hagenbuch Comment #7 Reply to this comment
Please replace this file and re-test (after clearing your browser cache):

http://cvs.horde.org/co.php?r=1.9&f=horde%2Fjs%2Fenter_key_trap.js
2007-09-06 03:47:01 Chuck Hagenbuch Comment #6 Reply to this comment
[msg "PHP source code leakage"] [severity "WARNING"] against [uri
"/horde/imp/message.php?index=1091"]
And if you view the source of this page, what "leaked source" do you see?
2007-09-05 19:22:14 horde (at) x-rayman (dot) co (dot) uk Comment #5 Reply to this comment
UPDATE!



This bug appears also to be in the none http login as well.



It is also present when opera is used.
2007-09-05 18:34:27 horde (at) x-rayman (dot) co (dot) uk Comment #4 Reply to this comment
Is there anything I could do to help with this?



Generate a more detailed error report?



Let me know.



I've also noticed that modsecurity on my apche server is reporting:



[msg "ASP/JSP source code leakage"] [severity "WARNING"] against [uri 
"/horde/imp/mailbox.php?page=1"]

[msg "PHP source code leakage"] [severity "WARNING"] against [uri 
"/horde/imp/message.php?index=1091"]


2007-09-05 14:24:06 Jan Schneider Assigned to Chuck Hagenbuch
State ⇒ Assigned
 
2007-09-05 14:21:26 Jan Schneider Comment #3 Reply to this comment
Could it be that we load horde's enter_key_trap.js in IMP's login 
screen? Looking at the diff, that would explain it:

http://cvs.horde.org/diff.php?sa=1&r1=1.2.10.3&r2=1.8&f=horde%2Fjs%2Fenter_key_trap.js
2007-09-05 14:16:45 Chuck Hagenbuch Comment #2
State ⇒ Feedback
Reply to this comment
That's very odd; I've never seen anything like that and I can't 
reproduce it. I'm at a loss as to what could cause that.
2007-09-05 06:25:43 horde (at) x-rayman (dot) co (dot) uk Comment #1
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 2. Medium
Summary ⇒ https login problem
Queue ⇒ Horde Base
Reply to this comment
It would appear when logining into horde via a https route rather than 
http the login screen becomes "over sensitive". By that I mean any 
character entered into either the username or password box appears to 
be interpreted as a carriage return and login is attempted straight 
away.



If the username is stored and you are to enter the password a popup 
box appears as soon as you type the first letter of your password.



You can cut and paste into the boxes and they then work.



This behaviour is not observed in http mode.



IMP is being used to resolve the login.



Current setup:

Horde Version



     * Horde: 3.2-ALPHA



Horde Applications



     * Gollem: H3 (1.0.2) (run Gollem tests)

     * Horde: 3.2-ALPHA

     * Imp: H3 (4.1.4) (run Imp tests)

     * Ingo: H3 (1.1.3) (run Ingo tests)

     * Kronolith: H3 (2.1.5)

     * Mnemo: H3 (2.1.1)

     * Nag: H3 (2.1.3)

     * Sam: 1.0-cvs

     * Trean: 1.0-cvs (run Trean tests)

     * Turba: H3 (2.1.4) (run Turba tests)



This was an upgrade of a 3.1.4 system to accommodate the use of trean.



The behaviour has been observed when using firefox 2.0.0.6 in windows 
and linux environments.

Saved Queries