Results 1 to 3 of 3

Thread: preauth: bug or feature ?

  1. #1
    Join Date
    Jul 2007
    Posts
    5
    Rep Power
    8

    Default preauth: bug or feature ?

    Hi all,

    I've a script that generates preauth URL for my users to login into different webmail. For example, here is the URL for toto@domain.com:

    Code:
    https://zimbra.webmail.com/service/preauth?account=toto%40domain.com&by=name&timestamp=1184319241000&expires=0&preauth=31791cdfb374449e0b28ec3dc08650f5efd7f
    The issue is that if your replace "toto" with "tutu", you will be able to login into tutu@domain.com's account:

    Code:
    https://zimbra.webmail.com/service/preauth?account=tutu%40domain.com&by=name&timestamp=1184319241000&expires=0&preauth=31791cdfb374449e0b28ec3dc08650f5efd7f
    You can even change the preauth value, and you still are able to login into the account:

    Code:
    https://zimbra.webmail.com/service/preauth?account=tutu%40domain.com&by=name&timestamp=1184319241000&expires=0&preauth=31791cdffd7f
    It seems that the server side script (/service/preauth) does not calculate correctly the hmac-sha1 or does not take care of it.

    Am I doing something wrong ?

    Regards

  2. #2
    Join Date
    Jan 2007
    Posts
    26
    Rep Power
    8

    Default

    Have you made sure to clear all cookies, cache, auth sessions, and the like? It could be that even though you left the inbox for toto, because you are directly putting tutu in there, it's logging you in.

  3. #3
    Join Date
    Jul 2007
    Posts
    5
    Rep Power
    8

    Default

    I tested it with a new opened browser. Once I'm logged with one account (eg. toto@domain.com), I am able to see all accounts of the domain (tutu@domain.com, titi@domain.com, tata@domain.com, ....) by just changing the url parameter.

    I don't use the latest 4.5 version of Zimbra OSS. I'll try with the latest one, and the NE edition ...

Similar Threads

  1. Replies: 3
    Last Post: 10-24-2007, 09:38 PM
  2. Replies: 0
    Last Post: 10-30-2006, 05:56 PM
  3. 4.0 Minor Bug Report and Feature Request
    By LMStone in forum Administrators
    Replies: 2
    Last Post: 09-07-2006, 03:51 PM
  4. Bug with preauth mechanism and SOAP headers?
    By Coilcore in forum Developers
    Replies: 3
    Last Post: 07-20-2006, 11:41 AM
  5. i18n, bug 5912 and other considerations
    By Kafka in forum I18N/L10N - Translations
    Replies: 9
    Last Post: 02-22-2006, 04:50 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •