Results 1 to 9 of 9

Thread: Posible securiry breach

Hybrid View

  1. #1
    Join Date
    Mar 2006
    Posts
    5
    Rep Power
    9

    Default Posible securiry breach

    I was reading this in the zimbra Blog and started wondering how this could be done without user authentification.
    So just tried http://myserver/zimbra/username/inbox.rss and I got a xml file containing my inbox's emails (See screenshot) without a single password!!!!

    I didn't see any Admin option for enabling/disabling it, so I guess that is open by default.

    This is a big breach on Zimbra security access. Why Zimbra want secured IMAP by default if inboxes can be reached without passwords?

    The blog entry is quite old and I didn't see anything else about that on Forums or Blog. Anybody knows what happen with this???

  2. #2
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default

    Did you check this with a browser that was already logged into the zimbra server? Chances are that you passed your auth token in the background.

    Try grabbing it with wget, or curl, to make sure that's not the case.

  3. #3
    Join Date
    Aug 2005
    Posts
    228
    Rep Power
    10

    Default

    By default the UserServlet will use the cookie if it is present, otherwise it will fallback to basic auth. You can add "auth=..." to the URL to control that behavior:

    Code:
      auth={auth-types}
    
      {auth-types} = comma-separated list. Legal values are:
          co     cookie
          ba     basic auth
          nsc    do not set a cookie when using basic auth
                  (default is "co,ba", i.e. check both)

  4. #4
    Join Date
    Mar 2006
    Posts
    5
    Rep Power
    9

    Default Damn cookies!!!

    Quote Originally Posted by schemers
    By default the UserServlet will use the cookie if it is present, otherwise it will fallback to basic auth. You can add "auth=..." to the URL to control that behavior:

    Code:
      auth={auth-types}
    
      {auth-types} = comma-separated list. Legal values are:
          co     cookie
          ba     basic auth
          nsc    do not set a cookie when using basic auth
                  (default is "co,ba", i.e. check both)

    You are right: the cookie (with my Administrator auth is letting me reach any single account).
    From my point of view, nsc should be the default setting.
    If I access the web interface (or my own email) as an Administrator user when I am supporting a user in his own computer he could access every single email in our company!!!
    Cookie should be set JUST when it is specificly accepted in the login screen.

    By the way, where I can modify {auth-types} ?
    Thanks

  5. #5
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default

    Quote Originally Posted by andresin
    You are right: the cookie (with my Administrator auth is letting me reach any single account).
    From my point of view, nsc should be the default setting.
    If I access the web interface (or my own email) as an Administrator user when I am supporting a user in his own computer he could access every single email in our company!!!
    Cookie should be set JUST when it is specificly accepted in the login screen.

    By the way, where I can modify {auth-types} ?
    Thanks
    Andresin, this is on you - if you use ANY administrative account on a user's computer, you are responsible for logging out before you go back to your desk. This applies to root accounts, domain admin accounts, and zimbra admin accounts.

  6. #6
    Join Date
    Mar 2006
    Posts
    5
    Rep Power
    9

    Default

    Quote Originally Posted by marcmac
    Andresin, this is on you - if you use ANY administrative account on a user's computer, you are responsible for logging out before you go back to your desk. This applies to root accounts, domain admin accounts, and zimbra admin accounts.
    Of course I log out before leaving an user's desk.
    But the problem is that "Loggin out" in NOT ENOUGH.
    It shouldn't be necessary to delete cookies for a proper loggin out.

Similar Threads

  1. Only shared calendar, posible?
    By freshpotato in forum Administrators
    Replies: 1
    Last Post: 01-29-2007, 02:07 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •