Tickets :: Comment on [#7931] Left Logout button throws "malicious request"

* Your Email Address
* Spam protection	Enter the letters below: .___. __ .__. .. . _/ / `[__] \|\|__\| ./__.\__.\| \|\__\|\| \|
Comment	> Installed Software > > -------------------------- > > * RHEL5 RPM Installations > > Apache 2.2 > > PHP v5.1.6 > > MySQL 5.0.45 > > > > * Horde Groupware Webmail Edition (version 1.2.2) > > http://ftp.horde.org/pub/horde-webmail/horde-webmail-1.2.2.tar.gz > > > > * Memcached (version 1.2.6) > > http://www.danga.com/memcached/download.bml > > > > * Memcache PHP Module (version 2.2.5) > > http://pecl.php.net/package/memcache > > > > > > Configuration > > -------------------- > > * Database => MySQL > > * Authentication => imp > > * Session Handler => Default PHP Session Handler > > > > * /etc/php.ini > > Using the default /etc/php.ini file with the recommended additional or > > modified lines to support the Memcache Session Handler. > > > > [NOTE: Many of these settings are quite short in order to test behavior.] > > > > extension=memcache.so > > session.save_handler = memcache > > session.save_path = "tcp://localhost:11211" > > session.use_cookies = 1 > > session.use_only_cookies = 1 > > session.name = PHPSESSID > > session.auto_start = 0 > > session.cookie_lifetime = 300 > > session.gc_probability = 1 > > session.gc_divisor = 1 > > session.gc_maxlifetime = 122 > > > > expose_php = Off > > display_errors = Off (default) > > log_errors = On (default) > > register_globals = Off (default) > > > > * /etc/php.d/memcache.ini > > memcache.allow_failover = 1 > > memcache.max_failover_attempts = 20 > > memcache.chunk_size = 8192 > > memcache.default_port = 11211 > > memcache.hash_strategy = standard > > memcache.hash_function = crc32 > > > > * I am currently running the Memcached daemon in the foreground, so that I > > could better understand see the dialogue between the application and > > the server. > > > > Problem > > ------------ > > * Thus far, everything seems to work until I attempt to log out. > > * If I click on an application in the sidebar and then click on the "Log out" > > icon at the top of the frame, log out is successful. The displayed URL is: > > > > https://hostname/imp/login.php?horde_logout_token=<tokenstring>=horde&logout_reason=logout > > > > * If I click on the "Log out" in the side bar, I receive the error: > > > > We cannot verify that this request was really sent by you. It could > > be a malicious request. If you intended to perform this action, > > you can retry it now. > > > > The displayed URL is: > > > > https://hostname/login.php?horde_logout_token=<tokenstring>=horde&logout_reason=logout > > > > However, if I modify the URL and change it to (Please, notice the only > > change being the addition of "imp" to the URL): > > > > https://hostname/imp/login.php?horde_logout_token=<tokenstring>=horde&logout_reason=logout > > > > , it then successfully logs out. > > > > > > * I have tracked down the code which is responsible for the error. It is > > located in the 'checkRequestToken' function in the file, > > <Horde root directory>/lib/Horde.php > > > > -------------------------------------------- > > function checkRequestToken($slug, $token) > > { > > if (empty($_SESSION['horde_form_secrets'][$token])) { > > return PEAR::raiseError(_("We cannot verify that this > request was really sent by you. It could be a malicious request. If > you intended to perform this action, you can retry it now.")); > > } > > > > if (($_SESSION['horde_form_secrets'][$token] + > $GLOBALS['conf']['urls']['token_lifetime'] * 60) < time()) { > > return PEAR::raiseError(sprintf(_("This request cannot be > completed because the link you followed or the form you submitted was > only valid for %s minutes. Please try again now."), > $GLOBALS['conf']['urls']['token_lifetime'])); > > } > > > > return true; > > } > > -------------------------------------------- > > > > * When I used the Horde Memcache Session Handler, all "Log outs" (icon > > and sidebar) worked. However, the Horde Memcache Session Handler does > > not include an expiration on the session in the communication with > > the Memcached daemon, which is something we require. > >
Attachment
Watch this ticket

Saved Queries