6.0.0-beta6
▾
Tasks
New Task
Search
Photos
Wiki
▾
Tickets
New Ticket
Search
dev.horde.org
Toggle Alerts Log
Help
4/10/26
H
istory
A
ttachments
C
omment
W
atch
Download
Comment on [#1022] Collapsing Horde sidebar results in empty cookie
*
Your Email Address
*
Spam protection
Enter the letters below:
. ..__. __ . .._. |__|| |/ `\ / | | ||__|\__. \/ _|_
Comment
> Summary: > > > > After having expanded several nodes in the Horde sidebar, collapsing > all of them causes an empty cookie to be sent to the browser. > Server-side software such as the Apache mod_security module might > detect this as an exploit of some sort, as seen in the mod_security > audit report below: > > > > ======================================== > > Request: x.x.x.x - - [27/Dec/2004:09:42:27 --0500] "GET > /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 403 229 > > Handler: application/x-httpd-php > > ---------------------------------------- > > GET /services/portal/sidebar.php?httpclient=1 HTTP/1.1 > > Accept: */* > > Accept-Language: en-us > > Referer: http://horde.prwdot.org/services/portal/sidebar.php > > Accept-Encoding: gzip, deflate > > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; > .NET CLR 1.0.3705; .NET CLR 1.1.4322) > > Host: x.y.z > > Connection: Keep-Alive > > Cookie: Horde=xxxxxxxxxxxxxxxxxxxxx; auth_key=xxxxxxxxxxxxxxxxxxxx; > imp_key=xxxxxxxxxxxxxxxxx; horde_menu_expanded= > > mod_security-message: Invalid cookie format: Cookie value is missing #2 > > mod_security-action: 403 > > > > HTTP/1.1 403 Forbidden > > Content-Length: 229 > > Keep-Alive: timeout=30, max=59 > > Connection: Keep-Alive > > Content-Type: text/html; charset=iso-8859-1 > > --------------------- > > > > As seen in the above report, the horde_menu_expanded cookie is empty. > In this particular mod_security configuration, mod_security generates > an error 403 denied. > > > > A browser-side workaround is to simply re-expand one or more Horde > menus, thus sending back a non-empty horde_menu_expanded cookie. > > > > For a server-side code fix, perhaps change > Horde_Tree.prototype._setCookie in horde/templates/javascript/tree.js > so that an empty cookie will not be set in the browser, or so that it > would set the cookie to expire in the past, thus removing the empty > cookie at the browser's earliest convenience. I'm sure there is some > other good way to get around this issue.
Attachment
Watch this ticket
N
ew Ticket
M
y Tickets
S
earch
Q
uery Builder
R
eports
Saved Queries
Open Bugs
Bugs waiting for Feedback
Open Bugs in Releases
Open Enhancements
Enhancements waiting for Feedback
Bugs with Patches
Enhancements with Patches
Release Showstoppers
Stalled Tickets
New Tickets
Horde 5 Showstoppers