Author Topic: Roundcube Still Has That Major Security Flaw!!!!!  (Read 12669 times)

Offline Delta-9

  • Jr. Member
  • **
  • Posts: 35
Re: Roundcube Still Has That Major Security Flaw!!!!!
« Reply #15 on: August 17, 2006, 05:15:15 PM »
Quote from: moroswitie

opened new browser window, entered only password (for this user); logging in failed =>
=>
opened new browser windows (ie), entered only password (for this user); logging in failed
-------
-------
opened new browser window, entered only password for the first user I logged in with; succesfully logged in

Well then, there you go. It looks like it is looking at the first record in the database and tries the password against that record.

Interesting.

Offline fibbers

  • Newbie
  • *
  • Posts: 2
Re: Roundcube Still Has That Major Security Flaw!!!!!
« Reply #16 on: August 17, 2006, 06:55:59 PM »
Quote
...
[roundcube-root]/program/include/main.inc
on line 460 you should see something like this:
Quote
if ($sql_arr = $DB->fetch_assoc($sql_result))
...
The line then should look like this:
Quote
if ($sql_arr == $DB->fetch_assoc($sql_result))
...

I was a little too enthousiastic with posting I think :), because if you make the change I wrote above, the preferences are not fetched from the database (at least in my case).

Now I just modified the 'rcmail_login' function in program/include/main.inc so that on line 423 I inserted:
Code: [Select]
if (empty($user) || empty($pass)) return false;
and this does work correctly ;)
Gewoon: chill.

Offline bamnptow

  • Newbie
  • *
  • Posts: 9
Re: Roundcube Still Has That Major Security Flaw!!!!!
« Reply #17 on: August 17, 2006, 07:24:51 PM »
I can duplicate this, too.

The first user created in my system can logon without entering a user name. Subsequent users all need both username and password. This applies to Firefox and IE6.

I don't think it's a major crisis because anybody with an email from me can guess my username with no effort at all, but it is still a little disturbing!

Offline atrophic

  • Newbie
  • *
  • Posts: 2
Re: Roundcube Still Has That Major Security Flaw!!!!!
« Reply #18 on: August 20, 2006, 04:16:53 AM »
The default alias for any user is blank. Because of that a blank username pulls up the first user entered that doesn't yet have an alias. If you give the first user added an alias the second one is assumed when no username is supplied, etc.

Fix it with this patch:
Code: [Select]
--- main.bak.inc
+++ main.inc
@@ -451,7 +451,7 @@
  // query if user already registered
  $sql_result = $DB->query("SELECT user_id, username, language, preferences
               FROM ".get_table_name('users')."
-              WHERE mail_host=? AND (username=? OR alias=?)",
+              WHERE mail_host=? AND (username=? OR (alias=? AND alias!=''))",
               $host,
               $user,
               $user);

Offline Scubes13

  • Jr. Member
  • **
  • Posts: 48
Re: Roundcube Still Has That Major Security Flaw!!!!!
« Reply #19 on: August 24, 2006, 08:46:40 AM »
Just thought I would note that I am able to login without a username on our test installation as well. As stated earlier, it is the first user only.

Kevin L.

Offline AlexRezid

  • Jr. Member
  • **
  • Posts: 12
Re: Roundcube Still Has That Major Security Flaw!!!!!
« Reply #20 on: August 28, 2006, 02:35:52 PM »
Quote from: atrophic
The default alias for any user is blank. Because of that a blank username pulls up the first user entered that doesn't yet have an alias. If you give the first user added an alias the second one is assumed when no username is supplied, etc.

Fix it with this patch:
Code: [Select]
--- main.bak.inc
+++ main.inc
@@ -451,7 +451,7 @@
  // query if user already registered
  $sql_result = $DB->query("SELECT user_id, username, language, preferences
               FROM ".get_table_name('users')."
-              WHERE mail_host=? AND (username=? OR alias=?)",
+              WHERE mail_host=? AND (username=? OR (alias=? AND alias!=''))",
               $host,
               $user,
               $user);

Using this code breaks Preferences fetching from the database...

Use (as suggested somewhere) :
Code: [Select]
--- main.inc.old    2006-08-28 20:33:44.000000000 +0200
+++ main.inc  2006-08-28 20:33:08.000000000 +0200
@@ -420,6 +420,8 @@
  global $CONFIG, $IMAP, $DB, $sess_user_lang;
  $user_id = NULL;

+ if (!$user) return FALSE;
+
  if (!$host)
   $host = $CONFIG['default_host'];

Offline infoeon

  • Newbie
  • *
  • Posts: 3
Re: Roundcube Still Has That Major Security Flaw!!!!!
« Reply #21 on: September 07, 2006, 09:57:11 AM »
I have the same issue on .1 beta2. There are 6 users in my Roundcube database and can login as the first user listed with just the password. It does not appear to be a browser cache issue as it happens on IE and Firefox on the same machine and also Firefox on a seperate machine.

1) Log in with username and password on machine A
2) Log out on machine A
3) Log in with just password on machine A, or B, or C, ....

I checked the options in my config files and didn't find any that affected the issue.