Topic: horde shows webmail without HTTPS

[jurjen]

Hi,
I am running e-smith 5.5, webmail is configured as "secure HTTPS access only".

However, if I simply browse to
   http://www.mydomain.com/horde
then I can also view my webmail, without any complaints about not using a secure connection. This looks like a security risc to me.

I don't know if this also worked before I installed TWiki. Yesterday I installed TWiki  following the howto somewhere on this e-smith.org site, and this morning I discovered just accidently that I can browse to the domain/horde directory to view your webmail without https. I don't know if it is also possible with an SME server without TWiki.

Anyway, is there a way to fix this? Should I have installed TWiki somewhere else, like in an ibay, and change the httpd.conf such that it never looks in /home/httpd/html again? If so, what exactly should I change in httpd.conf ?

Thanks in advance,
Jurjen.

[Jon Blakely]

I am using 5.5 and webmail access set for secure. It works correctly. If I use http:// I get a message telling me to use https://

Jon

[jurjen]

Jon Blakely wrote:
>
> I am using 5.5 and webmail access set for secure. It works
> correctly. If I use http:// I get a message telling me to use
> https://

Ok, I get that too when I browse to "webmail". That's perfect.

The point is that it does not tell me to use https when I browse to
   http://www.mydomain.com/horde

The horde script redirects to webmail, not using https.  It is a security issue, don't you think?

In my first post I was wondering if the TWiki installation has anything to do with it. Now I know it doesn't: I just browsed to http://www.someoneelse.com/horde and also got a webmail login without https.  (someoneelse is not really an existing domain, it was actually a friends e-smith server).

Jurjen.

[Jenny]

Well this seems for me a security bug and should be reported to  bugs@e-smith.com

[Reynolds]

First I'm new to Linux.  I'm using 5.1.2 but I think 5.5 is the same. If you are on your local network it works either way (secured or unsecured).  Comming from the outside it has to be secured.

Chow!

[jurjen]

Jenny wrote:
>
> Well this seems for me a security bug and should be reported
> to  bugs@e-smith.com

Good idea!  So I have reported it now and already recieved confirmation that it can be reproduced and will be investigated....

Jurjen.

[Andy]

Both a collegue and I have SME boxes, mine is running 5.5 and his is running 5.1.2

(All testing is from External)

On 5.5 foo.com/webmail works as it should, foo.com/horde works non-secure.
On 5.1.2 foo.com/webmail again works fine, foo.com/horde asks for a secure connection also.. humm..

also.. I have now upgraded to HORDE 2.1 and IMP 3.1
still the same..

Hope that is of some help..

[JL]

Yes I am able to repro the problem as descibed.
On another interesting note....... Internet Explorer 6 can go to http://domain.com/webmail and the certificate stuff comes up. Mozilla on the other hand displays an error message about a problem with the certificate and never connects to webmail. It does using straight http though. Matters not whether inside the local lan or coming in from the internet.

Funny thing. It was OK with 4.x on to 5.1.2. Did a clean install of 5.5 and this showed up.

Anyone else see this on Mozilla 1.0 for Linux?
JL

[Thomas Kristensen]

Hi,

Apparently, you have direct access to everything in the /home/httpd/html/horde directory without any authentication from external networks.

I just tried (on my freshly installed SME 5.5) to access some of the PHP scripts and subdirs in the above mentioned directory and this works. I'm not sure, however, if access to http://www../horde/status.php is a security risk or not.

Thoughts, anyone???

TIA,
Thomas Kristensen

[JL]

OK... update to my problem.... found out my certificate was changed and mozilla flat out denied the site. (man in the middle attack. ) Apparently IE6 is not so smart. Once i fixed the certificate, and Mozilla's certificate entries, all was right as rain.

Still..... was able to repro the problem as described above.

WRT to being able to view www.mydomain.com/horde/status.php , I cannot do that at all from the outside. I checked a friends server as well and was not able to. Our IMP access is set to https only.