I just stumbled upon a decrypted session to our sogo host and the browser sends this:
POST /SOGo/so/my_user_name/Mail//my_D_name_A_mydomain_D_de/folderINBOX/uids HTTP/1.1 Host: bafoussam.rz.uni-konstanz.de User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.7) Gecko/20100713 Firefox/3.6.7 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: https://bafoussam.rz.uni-konstanz.de/SOGo/so/my_user_name/Mail/view Cookie: 0xHIGHFLYxSOGo=basic%20XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Cookie: 0xHIGHFLYxSOGo=basic%20XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX is the culprit, the XXX is exactly the base64 encoded form of "username:password" as it is used by Basic HTTP auth. This cookie stays stored on the user's browser. From my understanding this is a security no-go, it should be an anonymous random hash code which is only describing an entry in the session table of the web application, so when the session has timed out the cookie has become worthless. This cookie is valid forever, even after logout - more: just by searching the cookie database of the browser you'll get the user account and his password!
-- [email protected] https://inverse.ca/sogo/lists
