[SECURITY] Overtake another account
|Reported by:||lommy||Owned by:|
|Priority:||1 - Highest||Milestone:||0.3.1|
today I experience a big security hole in Roundcube!
I was using Roundcube r2991 with Dovecot and MySQL as database backend. The following happens: My brother was logged in with his username. He is not sure if he logged out or just closed the browser after sending a mail. About half a hour later I logged into Roundcube with my username. Of cause our usernames and passwords are different. While been logged in I got a lot of "Server Error! (Not found)" messages. Because of that I reloaded the whole website in my browser (We are both using Firefox 3.5.2). And now I was logged in my brother's mailbox. I asked my brother and he visited Roundcube again. He was directly in his own mailbox (I think his browser used his old cookie where he was still logged in). Even when he logged out I was still in his mailbox. I could read all his mails in all his folders. Did not check if I could access his settings or address book.
I looked up: We both were using different session ID saved in the cookies. The Roundcube logs are empty. The Apache logs are empty, too. The database scheme is up to date. I have no idea how that could happened. So I think its a Roundcube session issue. I'm sorry that I can not give a more detailed way to reproduce this security hole.
Best regards. lommy
Change History (12)
comment:4 Changed 4 years ago by alec
- Resolution set to worksforme
- Status changed from new to closed
comment:5 Changed 4 years ago by lommy
- Resolution worksforme deleted
- Status changed from closed to reopened