security lack with http_authtentication
|Reported by:||Lars||Owned by:|
when the http_authentication plugin is enabled and you log out you can just reenter the roundcube url and are automatically logged in as the previous user.
I'm not an http expert, but there should the http authentication be expired/killed or this behaviour should be mentioned some where.
log in with http_auth.. enabled as mustermann
log in as someone else (musterfrau) and you're logged in as mustermann (because aof the plugin)
Change History (5)
comment:1 Changed 23 months ago by thomasb
- Priority changed from 1 - Highest to 5
- Severity changed from critical to normal