Results 1 to 9 of 9

Thread: Posible securiry breach

  1. #1
    andresin is offline Junior Member
    Join Date
    Mar 2006
    Posts
    5
    Rep Power
    9

    Default Posible securiry breach

    I was reading this in the zimbra Blog and started wondering how this could be done without user authentification.
    So just tried http://myserver/zimbra/username/inbox.rss and I got a xml file containing my inbox's emails (See screenshot) without a single password!!!!

    I didn't see any Admin option for enabling/disabling it, so I guess that is open by default.

    This is a big breach on Zimbra security access. Why Zimbra want secured IMAP by default if inboxes can be reached without passwords?

    The blog entry is quite old and I didn't see anything else about that on Forums or Blog. Anybody knows what happen with this???

  2. #2
    marcmac is offline Expert Member
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    13

    Default

    Did you check this with a browser that was already logged into the zimbra server? Chances are that you passed your auth token in the background.

    Try grabbing it with wget, or curl, to make sure that's not the case.

  3. #3
    schemers is offline Zimbra Employee
    Join Date
    Aug 2005
    Posts
    228
    Rep Power
    10

    Default

    By default the UserServlet will use the cookie if it is present, otherwise it will fallback to basic auth. You can add "auth=..." to the URL to control that behavior:

    Code:
      auth={auth-types}
    
      {auth-types} = comma-separated list. Legal values are:
          co     cookie
          ba     basic auth
          nsc    do not set a cookie when using basic auth
                  (default is "co,ba", i.e. check both)

  4. #4
    andresin is offline Junior Member
    Join Date
    Mar 2006
    Posts
    5
    Rep Power
    9

    Default Damn cookies!!!

    Quote Originally Posted by schemers
    By default the UserServlet will use the cookie if it is present, otherwise it will fallback to basic auth. You can add "auth=..." to the URL to control that behavior:

    Code:
      auth={auth-types}
    
      {auth-types} = comma-separated list. Legal values are:
          co     cookie
          ba     basic auth
          nsc    do not set a cookie when using basic auth
                  (default is "co,ba", i.e. check both)

    You are right: the cookie (with my Administrator auth is letting me reach any single account).
    From my point of view, nsc should be the default setting.
    If I access the web interface (or my own email) as an Administrator user when I am supporting a user in his own computer he could access every single email in our company!!!
    Cookie should be set JUST when it is specificly accepted in the login screen.

    By the way, where I can modify {auth-types} ?
    Thanks

  5. #5
    marcmac is offline Expert Member
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    13

    Default

    Quote Originally Posted by andresin
    You are right: the cookie (with my Administrator auth is letting me reach any single account).
    From my point of view, nsc should be the default setting.
    If I access the web interface (or my own email) as an Administrator user when I am supporting a user in his own computer he could access every single email in our company!!!
    Cookie should be set JUST when it is specificly accepted in the login screen.

    By the way, where I can modify {auth-types} ?
    Thanks
    Andresin, this is on you - if you use ANY administrative account on a user's computer, you are responsible for logging out before you go back to your desk. This applies to root accounts, domain admin accounts, and zimbra admin accounts.

  6. #6
    andresin is offline Junior Member
    Join Date
    Mar 2006
    Posts
    5
    Rep Power
    9

    Default

    Quote Originally Posted by marcmac
    Andresin, this is on you - if you use ANY administrative account on a user's computer, you are responsible for logging out before you go back to your desk. This applies to root accounts, domain admin accounts, and zimbra admin accounts.
    Of course I log out before leaving an user's desk.
    But the problem is that "Loggin out" in NOT ENOUGH.
    It shouldn't be necessary to delete cookies for a proper loggin out.

  7. #7
    robrankin is offline Intermediate Member
    Join Date
    Mar 2006
    Posts
    22
    Rep Power
    9

    Default

    Quote Originally Posted by andresin
    Of course I log out before leaving an user's desk.
    But the problem is that "Loggin out" in NOT ENOUGH.
    It shouldn't be necessary to delete cookies for a proper loggin out.
    Maybe I missed something, but when you log out of Zimbra it removes the auth token cookie. Without that you can't log into any service, the RSS feed for example.

    I just tested it to make sure... prompts me for username/password once I've logged out of Zimbra in a different tab.

  8. #8
    andresin is offline Junior Member
    Join Date
    Mar 2006
    Posts
    5
    Rep Power
    9

    Default

    Quote Originally Posted by robrankin
    Maybe I missed something, but when you log out of Zimbra it removes the auth token cookie. Without that you can't log into any service, the RSS feed for example.

    I just tested it to make sure... prompts me for username/password once I've logged out of Zimbra in a different tab.
    It's working in a different way for me.
    1- I log in with my Administrator account (Firefox 1.5 on Debian).
    2- I log out from zimbra.
    3- I open new tab
    4- I write this URL: http://myserver/zimbra/user/username/inbox.rss
    5- I got inbox.rss without needing authentification.

  9. #9
    andresin is offline Junior Member
    Join Date
    Mar 2006
    Posts
    5
    Rep Power
    9

    Default

    Quote Originally Posted by andresin
    It's working in a different way for me.
    1- I log in with my Administrator account (Firefox 1.5 on Debian).
    2- I log out from zimbra.
    3- I open new tab
    4- I write this URL: http://myserver/zimbra/user/username/inbox.rss
    5- I got inbox.rss without needing authentification.

    Answering my own post...

    I have been playing with zimbra and checking my cookies, and I have found out when the cookie is deleted.
    A cookie is not deleted until window/tab is closed or you visit a different server in the same window/tab you were using Zimbra.
    If you log out, but the log in screen is being showed THE COOKIE IS KEEPED. Cookies expires at "end of session", so it is alive when you are already logged out.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Only shared calendar, posible?
    By freshpotato in forum Administrators
    Replies: 1
    Last Post: 01-29-2007, 03:07 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •