preauth: bug or feature ?

[toto]

Hi all,

I've a script that generates preauth URL for my users to login into different webmail. For example, here is the URL for toto@domain.com:

Code:

https://zimbra.webmail.com/service/preauth?account=toto%40domain.com&by=name&timestamp=1184319241000&expires=0&preauth=31791cdfb374449e0b28ec3dc08650f5efd7f

The issue is that if your replace "toto" with "tutu", you will be able to login into tutu@domain.com's account:

Code:

https://zimbra.webmail.com/service/preauth?account=tutu%40domain.com&by=name&timestamp=1184319241000&expires=0&preauth=31791cdfb374449e0b28ec3dc08650f5efd7f

You can even change the preauth value, and you still are able to login into the account:

Code:

https://zimbra.webmail.com/service/preauth?account=tutu%40domain.com&by=name&timestamp=1184319241000&expires=0&preauth=31791cdffd7f

It seems that the server side script (/service/preauth) does not calculate correctly the hmac-sha1 or does not take care of it.

Am I doing something wrong ?

Regards

[SuperMario]

Have you made sure to clear all cookies, cache, auth sessions, and the like? It could be that even though you left the inbox for toto, because you are directly putting tutu in there, it's logging you in.

[toto]

I tested it with a new opened browser. Once I'm logged with one account (eg. toto@domain.com), I am able to see all accounts of the domain (tutu@domain.com, titi@domain.com, tata@domain.com, ....) by just changing the url parameter.

I don't use the latest 4.5 version of Zimbra OSS. I'll try with the latest one, and the NE edition ...