Unvoluntary session hijacking
|Reported by:||bartd||Owned by:|
|Priority:||1 - Highest||Milestone:||0.6-beta|
Rouncube will sometimes display messages from other user's mailboxes given the fact that both users are accessing rcm from the same ip address but independent of the time in between their sessions.
The messagelist always shows the real user's messages but the preview pane or opening the e-mail will show headers & body from another mailbox that was accessed from the same client ip address.
I've seen cases were user B logs in 3 days after user A and somehow gets old of his old session which is reused to retrieve the messages. It only happens with users who share the same ip address, ie large corporate networks using NAT.
using double_auth did not fix the issue. neither did upgrading to 0.3.1. Is REMOTE_ADDR somehow used to reuse sessions?
PHP version: 5.3.1
imapd: dovecot 1.2.5 through perdition
browser: problem is independent of browser, has occured in IE7 and FF3
reproducable: yes and no, I've haven't been able to reproduce but it happens on a daily basis with a large userbase.
I do have a screenshot demonstrating the problem, but I shouldn't upload it where it's publicly viewable.
Change History (39)
comment:10 Changed 4 years ago by till
- Priority changed from 2 to 1 - Highest
- Severity changed from major to critical
comment:14 Changed 2 years ago by casper
- Resolution fixed deleted
- Status changed from closed to reopened
comment:16 Changed 2 years ago by casper
- Milestone changed from 0.4-beta to 0.6-beta
- Version changed from 0.3.1 to 0.5.1
comment:32 in reply to: ↑ 28 Changed 2 years ago by thomasb
comment:33 follow-up: ↓ 34 Changed 2 years ago by alec
- Component changed from Core functionality to Security issue