6.0.0-git
2019-03-18

[#2067] HTTP/HTTPS login issue
Summary HTTP/HTTPS login issue
Queue IMP
Queue Version 4.0.3
Type Bug
State Not A Bug
Priority 2. Medium
Owners Horde Developers (at)
Requester horde (at) padilla (dot) net
Created 2005-06-02 (5037 days ago)
Due
Updated 2005-06-06 (5033 days ago)
Assigned 2005-06-02 (5037 days ago)
Resolved 2005-06-06 (5033 days ago)
Milestone
Patch No

History
2005-06-06 14:40:54 Chuck Hagenbuch State ⇒ Not A Bug
 
2005-06-06 12:06:10 horde (at) padilla (dot) net Comment #6 Reply to this comment
Fair enough, I guess the alternative is to simply set 
$conf['auth']['checkip'] to false.
These are generated by HTTP headers, right? Then yes, forging them
would be too easy.
2005-06-06 11:26:39 Jan Schneider Comment #5 Reply to this comment
These are generated by HTTP headers, right? Then yes, forging them 
would be too easy.
2005-06-02 22:42:59 Chuck Hagenbuch Comment #4
State ⇒ Feedback
Reply to this comment
Do we really want to trust that variable? If the point is security, 
this pretty much defeats it, I think.
2005-06-02 09:24:00 Jan Schneider State ⇒ Assigned
Assigned to Horde DevelopersHorde Developers
 
2005-06-02 09:04:20 horde (at) padilla (dot) net Comment #3 Reply to this comment
here is the unified diff:



--- ~/horde-3.0.4/lib/Horde/Auth.php Tue Mar 29 12:59:56 2005

+++ lib/Horde/Auth.php  Thu Jun  2 08:00:17 2005

@@ -1080,7 +1080,10 @@

      function _checkSessionIP()

      {

          return (empty($GLOBALS['conf']['auth']['checkip']) ||

-                (isset($_SESSION['__auth']['remote_addr']) && 
$_SESSION['__auth']['remote_addr'] == $_SERVER['REMOTE_ADDR']));

+                (isset($_SESSION['__auth']['remote_addr']) && 
$_SESSION['__auth']['remote_addr'] == $_SERVER['REMOTE_ADDR']) ||

+                (isset($_SESSION['__auth']['remote_addr']) && 
$_SESSION['__auth']['remote_addr'] == $_SERVER['HTTP_CLIENT_IP']) ||

+                (isset($_SESSION['__auth']['remote_addr']) && 
$_SESSION['__auth']['remote_addr'] == $_SERVER['HTTP_X_FORWARDED_FOR'])

+       );

      }



      /**


2005-06-02 08:47:57 Jan Schneider Comment #2
State ⇒ Feedback
Reply to this comment
Can you please upload a unified diff of your changes? Thanks.
2005-06-02 06:02:10 horde (at) padilla (dot) net Comment #1
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 2. Medium
Summary ⇒ HTTP/HTTPS login issue
Queue ⇒ IMP
Reply to this comment
Hi,



I have Horde/IMP set up for using HTTPS only for the part of the 
session where the password is sent ($conf['use_ssl'] = 3;). I (client 
side) am on a network that uses a transparent proxy for HTTP traffic, 
so the HTTP and HTTPS source addresses that hit the server are 
different.



I modified lib/Horde/Auth.php as follows (added checks for 
HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR) and now it works fine:



     function _checkSessionIP()

     {

         return (empty($GLOBALS['conf']['auth']['checkip']) ||

                 (isset($_SESSION['__auth']['remote_addr']) && 
$_SESSION['__auth']['remote_addr'] == $_SERVER['REMOTE_ADDR']) ||

                 (isset($_SESSION['__auth']['remote_addr']) && 
$_SESSION['__auth']['remote_addr'] == $_SERVER['HTTP_CLIENT_IP']) ||

                 (isset($_SESSION['__auth']['remote_addr']) && 
$_SESSION['__auth']['remote_addr'] == $_SERVER['HTTP_X_FORWARDED_FOR'])

         );

     }



Thanks for a great webmail client!

Len Padilla

Saved Queries