Tickets :: Comment on [#15095] Horde allows unauthenticated usere

* Your Email Address
* Spam protection	Enter the letters below: .__ . , __.. ,. . [__) \./ (__ \./ \| \| \| \ \| .__) \| \|__\|
Comment	> I have a Horde install that on FreeBSD/Dovecot/postfix, it is > supposed to authenticate users in a MySQL database. The users are > added into the database with postfixadmin. > if a User was to log into Horde with a legitimate UserName and an > incorrect password, Horde would let them through, allowing access to > the Contact, Calendar etc but not mail. however, imp throws the > error: User is not authorized for Mail (Host: *...*). > Also, if the legitimate username and wrong password is an admin, > horde allows access to the Administration Configuration. > > if the user enters the proper password, everything is fine and no errors. > > Is this a bug or a misconfiguration? How do I resolve this? > > > > > <?php > / CONFIG START. DO NOT CHANGE ANYTHING IN OR AFTER THIS LINE. / > $conf['vhosts'] = false; > $conf['debug_level'] = E_ALL & ~E_NOTICE; > $conf['max_exec_time'] = 0; > $conf['compress_pages'] = true; > $conf['secret_key'] = ''; > $conf['umask'] = 077; > $conf['testdisable'] = true; > $conf['use_ssl'] = 2; > $conf['server']['name'] = $_SERVER['SERVER_NAME']; > $conf['urls']['token_lifetime'] = 30; > $conf['urls']['hmac_lifetime'] = 30; > $conf['urls']['pretty'] = false; > $conf['safe_ips'] = array(); > $conf['session']['name'] = 'Horde'; > $conf['session']['use_only_cookies'] = true; > $conf['session']['timeout'] = 0; > $conf['session']['cache_limiter'] = 'nocache'; > $conf['session']['max_time'] = 72000; > $conf['cookie']['domain'] = $_SERVER['SERVER_NAME']; > $conf['cookie']['path'] = '/'; > $conf['sql']['username'] = ''; > $conf['sql']['password'] = ''; > $conf['sql']['hostspec'] = 'localhost'; > $conf['sql']['port'] = 3306; > $conf['sql']['protocol'] = 'tcp'; > $conf['sql']['database'] = 'horde'; > $conf['sql']['charset'] = 'utf-8'; > $conf['sql']['ssl'] = false; > $conf['sql']['splitread'] = false; > $conf['sql']['logqueries'] = false; > $conf['sql']['phptype'] = 'mysql'; > $conf['nosql']['phptype'] = false; > $conf['ldap']['useldap'] = false; > $conf['auth']['admins'] = array(''); > $conf['auth']['checkip'] = true; > $conf['auth']['checkbrowser'] = true; > $conf['auth']['resetpassword'] = true; > $conf['auth']['alternate_login'] = false; > $conf['auth']['redirect_on_logout'] = false; > $conf['auth']['list_users'] = 'list'; > $conf['auth']['params']['phptype'] = 'mysql'; > $conf['auth']['params']['hostspec'] = 'localhost'; > $conf['auth']['params']['protocol'] = 'tcp'; > $conf['auth']['params']['username'] = 'postfix'; > $conf['auth']['params']['password'] = ''; > $conf['auth']['params']['database'] = 'postfix'; > $conf['auth']['params']['query_auth'] = 'SELECT password FROM mailbox > WHERE username = \L'; > $conf['auth']['params']['query_add'] = 'INSERT INTO mailbox (domain, > username , password, home) VALUES ( SUBSTRING_INDEX(\L, \'@\', -1), > \L, \P, \'/usr/local/virtual/SUBSTRING_INDEX(\L, \'@\', -1)/\L\')'; > $conf['auth']['params']['query_getpw'] = 'SELECT password FROM > mailbox WHERE username = \L'; > $conf['auth']['params']['query_update'] = ''; > $conf['auth']['params']['query_resetpassword'] = 'UPDATE mailbox SET > password = \P WHERE username = \L AND password = \P'; > $conf['auth']['params']['query_remove'] = 'DELETE FROM mailbox WHERE > username = \L AND domain = SUBSTRING_INDEX(\L, \'@\', -1)'; > $conf['auth']['params']['query_list'] = 'SELECT FROM mailbox'; > $conf['auth']['params']['query_exists'] = 'SELECT 1 FROM mailbox > WHERE SUBSTRING_INDEX(\L, \'@\', 1) AND domain = SUBSTRING_INDEX(\L, > \'@\', -1)'; > $conf['auth']['params']['encryption'] = 'crypt-md5'; > $conf['auth']['params']['show_encryption'] = true; > $conf['auth']['driver'] = 'customsql'; > $conf['auth']['params']['count_bad_logins'] = true; > $conf['auth']['params']['login_block'] = true; > $conf['auth']['params']['login_block_count'] = 3; > $conf['auth']['params']['login_block_time'] = 15; > $conf['signup']['params']['driverconfig'] = 'horde'; > $conf['signup']['driver'] = 'Sql'; > $conf['signup']['email'] = ''; > $conf['signup']['approve'] = true; > $conf['signup']['allow'] = true; > $conf['log']['priority'] = 'INFO'; > $conf['log']['ident'] = 'HORDE'; > $conf['log']['name'] = LOG_USER; > $conf['log']['type'] = 'syslog'; > $conf['log']['enabled'] = true; > $conf['log_accesskeys'] = false; > $conf['prefs']['maxsize'] = 65535; > $conf['prefs']['params']['driverconfig'] = 'horde'; > $conf['prefs']['driver'] = 'Sql'; > $conf['alarms']['params']['driverconfig'] = 'horde'; > $conf['alarms']['params']['ttl'] = 300; > $conf['alarms']['driver'] = 'Sql'; > $conf['group']['params']['driverconfig'] = 'horde'; > $conf['group']['driver'] = 'Sql'; > $conf['perms']['driverconfig'] = 'horde'; > $conf['perms']['driver'] = 'Sql'; > $conf['share']['no_sharing'] = false; > $conf['share']['auto_create'] = true; > $conf['share']['world'] = true; > $conf['share']['any_group'] = false; > $conf['share']['hidden'] = false; > $conf['share']['cache'] = false; > $conf['share']['driver'] = 'Sqlng'; > $conf['cache']['default_lifetime'] = 86400; > $conf['cache']['params']['sub'] = 0; > $conf['cache']['driver'] = 'File'; > $conf['cache']['use_memorycache'] = ''; > $conf['cachecssparams']['url_version_param'] = true; > $conf['cachecss'] = false; > $conf['cachejsparams']['url_version_param'] = true; > $conf['cachejs'] = false; > $conf['cachethemes'] = false; > $conf['lock']['params']['driverconfig'] = 'horde'; > $conf['lock']['driver'] = 'Sql'; > $conf['token']['params']['driverconfig'] = 'horde'; > $conf['token']['driver'] = 'Sql'; > $conf['history']['params']['driverconfig'] = 'horde'; > $conf['history']['driver'] = 'Sql'; > $conf['davstorage']['params']['driverconfig'] = 'horde'; > $conf['davstorage']['driver'] = 'Sql'; > $conf['mailer']['params']['host'] = ''; > $conf['mailer']['params']['port'] = 25; > $conf['mailer']['params']['secure'] = 'tls'; > $conf['mailer']['params']['localhost'] = ''; > $conf['mailer']['params']['auth'] = false; > $conf['mailer']['params']['lmtp'] = false; > $conf['mailer']['type'] = 'smtp'; > $conf['vfs']['params']['driverconfig'] = 'horde'; > $conf['vfs']['type'] = 'Sql'; > $conf['sessionhandler']['type'] = 'Builtin'; > $conf['sessionhandler']['hashtable'] = false; > $conf['spell']['params']['path'] = '/usr/local/bin/aspell'; > $conf['spell']['driver'] = 'aspell'; > $conf['gnupg']['path'] = '/usr/local/bin/gpg'; > $conf['gnupg']['keyserver'] = array('pool.sks-keyservers.net', > 'subkeys.pgp.net', 'pgp.mit.edu'); > $conf['gnupg']['timeout'] = 10; > $conf['nobase64_img'] = false; > $conf['image']['convert'] = '/usr/local/bin/convert'; > $conf['image']['identify'] = '/usr/local/bin/identify'; > $conf['image']['driver'] = 'Im'; > $conf['exif']['driver'] = 'Bundled'; > $conf['timezone']['location'] = 'ftp://ftp.iana.org/tz/tzdata-latest.tar.gz'; > $conf['problems']['email'] = ''; > $conf['problems']['maildomain'] = '*'; > $conf['problems']['tickets'] = false; > $conf['problems']['attachments'] = true; > $conf['menu']['links']['help'] = 'all'; > $conf['menu']['links']['prefs'] = 'authenticated'; > $conf['menu']['links']['problem'] = 'never'; > $conf['menu']['links']['login'] = 'all'; > $conf['menu']['links']['logout'] = 'authenticated'; > $conf['portal']['fixed_blocks'] = array('horde:horde_Block_Cloud', > 'horde:horde_Block_Feed', 'horde:horde_Block_Iframe', > 'horde:horde_Block_Moon', 'horde:horde_Block_Sunrise', > 'horde:horde_Block_Time', 'horde:horde_Block_Vatid', > 'horde:horde_Block_Account', 'ingo:ingo_Block_Overview', > 'kronolith:kronolith_Block_Monthlist', > 'kronolith:kronolith_Block_Prevmonthlist', > 'kronolith:kronolith_Block_Summary', > 'kronolith:kronolith_Block_Month', 'mnemo:mnemo_Block_Summary', > 'mnemo:mnemo_Block_Note', 'nag:nag_Block_Summary', > 'trean:trean_Block_Mostclicked', 'trean:trean_Block_Bookmarks', > 'turba:turba_Block_Minisearch'); > $conf['accounts']['driver'] = 'null'; > $conf['user']['verify_from_addr'] = true; > $conf['user']['select_view'] = true; > $conf['facebook']['enabled'] = false; > $conf['twitter']['enabled'] = false; > $conf['urlshortener'] = false; > $conf['weather']['provider'] = false; > $conf['imap']['enabled'] = false; > $conf['imsp']['enabled'] = false; > $conf['kolab']['enabled'] = false; > $conf['hashtable']['driver'] = 'none'; > $conf['activesync']['enabled'] = false; > / CONFIG END. DO NOT CHANGE ANYTHING IN OR BEFORE THIS LINE. */ > > database tables: > > +-----------------------+ > \| Tables_in_postfix \| > +-----------------------+ > \| admin \| > \| alias \| > \| alias_domain \| > \| config \| > \| domain \| > \| domain_admins \| > \| fetchmail \| > \| log \| > \| mailbox \| > \| quota \| > \| quota2 \| > \| vacation \| > \| vacation_notification \| > +-----------------------+ > 13 rows in set (0.00 sec) > > > +-----------------+--------------+------+-----+---------------------+-------+ > \| Field \| Type \| Null \| Key \| Default \| Extra \| > +-----------------+--------------+------+-----+---------------------+-------+ > \| username \| varchar(255) \| NO \| PRI \| NULL \| \| > \| password \| varchar(255) \| NO \| \| NULL \| \| > \| name \| varchar(255) \| NO \| \| NULL \| \| > \| maildir \| varchar(255) \| NO \| \| NULL \| \| > \| quota \| bigint(20) \| NO \| \| 0 \| \| > \| local_part \| varchar(255) \| NO \| \| NULL \| \| > \| domain \| varchar(255) \| NO \| MUL \| NULL \| \| > \| created \| datetime \| NO \| \| 2000-01-01 00:00:00 \| \| > \| modified \| datetime \| NO \| \| 2000-01-01 00:00:00 \| \| > \| active \| tinyint(1) \| NO \| \| 1 \| \| > \| phone \| varchar(30) \| NO \| \| \| \| > \| email_other \| varchar(255) \| NO \| \| \| \| > \| token \| varchar(255) \| NO \| \| \| \| > \| token_validity \| datetime \| NO \| \| 2000-01-01 00:00:00 \| \| > \| password_expiry \| datetime \| NO \| \| 2000-01-01 00:00:00 \| \| > +-----------------+--------------+------+-----+---------------------+-------+ > 15 rows in set (0.00 sec)
Attachment
Watch this ticket

Saved Queries