Package: atmailopen
Version: 1.03+dfsg+svn93-4
Severity: grave
I'm getting trouble with atmailopen because at the first time the
use log in the system, his session is created and stored in the
"UserSession" table of the database. Once the user session is stored
in the database, it's *not* updated anymore and this behaviour causes
serious disadvantages (and some of them IMHO are bugs) like the
following:
* Keep the cleartext password stored in the database forever. It's a
critical security issue. [1]
* Causes a bug of users that cannot log in anymore because their
passwords were changed in the server and differ from the passwords
that are currently stored in their old user sessions on the
"UserSession" table of local database. [2]
I fixed these issues adding a new method in the Auth class (see
Auth.php.patch) that destroys the any session for an user, both in php
*and* database. To fix the issue [1] I added a call of this new method
at the logout process on the file index.php (see index.php.patch). To
fix the issue [2] I added a call of this new method at the parse.php
(see parse.php.patch) to cleanup old sessions of user everrytime he
accesses to log in page.
I'm running Debian GNU/Linux 5.0 (Lenny) and Kernel 2.6.26-2-686.
--
Regards,
Arthur Furlan
arthur.fur...@gmail.com
--- Auth.php 2009-05-07 15:36:19.000000000 -0300
+++ Auth-patched.php 2009-05-07 15:36:03.000000000 -0300
@@ -1,5 +1,4 @@
<?php
-
require_once('header.php');
require_once('SQL.php');
@@ -658,6 +657,41 @@
return false;
}
+ /**
+ * Changed by Arthur Furlan <arthur.fur...@gmail.com> on 2009-05-07
+ *
+ *
+ * Completely destroys the user session by removing the record in the
+ * "UserSession" table of the database and destroying the php session.
+ *
+ * At the first time an user log in the system, his session is created
+ * and stored in the "UserSession" table of the database. Once the user
+ * session is stored in the database, it's not updated anymore and this
+ * behaviour has some serious disadvantages like following:
+ *
+ * 1. Keep the cleartext password stored in the database forever,
+ *
+ * 2. Causes a bug of users that cannot log in anymore because
+ * their passwords were changed in the server and differ from the
+ * passwords that are currently stored in old user sessions on the
+ * "UserSession" table of local database.
+ *
+ * This method should be called in the specific parts of the system to
+ * fix the behaviours listed above.
+ */
+ function destroy_session() {
+ global $atmail;
+
+ // destroys the user session in the database
+ $query = 'DELETE FROM UserSession WHERE Account = ?';
+ $data = array("{$this->userna...@{$this->pop3host}");
+ $atmail->db->sqldo($query, $data);
+
+ // destroys the user session in the php
+ session_regenerate_id(true);
+ session_unset();
+ session_destroy();
+ }
function get_username()
{
--- index.php 2009-05-07 15:38:25.000000000 -0300
+++ index-pachted.php 2009-05-07 15:42:12.000000000 -0300
@@ -120,7 +120,16 @@
}
- session_destroy();
+ /**
+ * Changed by Arthur Furlan <arthur.fur...@gmail.com> on 2009-05-07
+ *
+ *
+ * Completely destroys the user session (in both php and database).
+ *
+ * It prevents of keeping the cleartext password stored in the database
+ * forever (IMO i'ts a serious security issue).
+ */
+ $auth->destroy_session();
}
$var['Ajax'] = '1';
--- parse.php 2009-05-07 15:44:16.000000000 -0300
+++ parse-patched.php 2009-05-07 15:44:06.000000000 -0300
@@ -28,6 +28,19 @@
// No auth necessary to display login page
if ($filename == 'html/login-light.html') {
echo $atmail->parse('html/login-light.html');
+
+ /**
+ * Changed by Arthur Furlan on 2009-05-07
+ *
+ *
+ * If there is an old user session on the database, destroy it completely.
+ *
+ * The line below fixes the bug of users that cannot log in anymore because
+ * their passwords were changed in the server and differ from the passwords
+ * that are currently stored in old sessions of the local database.
+ */
+ $atmail->getAuthObj()->destroy_session();
+
$atmail->end();
}
