Author Topic: I can log in as a user on another domain  (Read 1981 times)

Offline johnnyc

  • Newbie
  • *
  • Posts: 1
I can log in as a user on another domain
« on: February 24, 2010, 02:35:39 AM »
In my main config, I have:

Code: [Select]
// try to load host-specific configuration
// see http://trac.roundcube.net/wiki/Howto_Config for more details
$rcmail_config['include_host_config'] = array(
  'webmail.domain1.com' => 'domain1_com_config.inc.php',
  'webmail.domain2.com' => 'domain2_com_config.inc.php',
  'webmail.domain3.com' => 'domain3_com_config.inc.php');

// the mail host chosen to perform the log-in
// leave blank to show a textbox at login, give a list of hosts
// to display a pulldown menu or set one host as string.
// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
$rcmail_config['default_host'] = 'ssl://mail.domain1.com';

an example of one of these config files is:

Code: [Select]

// Automatically add this domain to user names for login
// Only for IMAP servers that require full e-mail addresses for login
// Specify an array with 'host' => 'domain' values to support multiple hosts
$rcmail_config['username_domain'] = 'domain1.com';

// This domain will be used to form e-mail addresses of new users
// Specify an array with 'host' => 'domain' values to support multiple hosts
$rcmail_config['mail_domain'] = 'domain1.com';

// use this name to compose page titles
$rcmail_config['product_name'] = 'Domain1 Webmail';

?>

This allows me to simply enter my name without the @domain1.com, and I can log in, hoory!

The problem is that I can also log in as validname@domain2.com while my browser is at domain1.com.

I'm guessing that this is because I'm hosting both mail for both domains on the same server, but this is an undesired log in result.  Is there any way to prevent someone with a full email address ending in domain2 to log in at domain1?  My expectation would be that if someone enters a full email address (validname@domain2.com) that the value from username_domain would be appended, and the log in would fail (validname@domain2.com@domain1.com).  Either that, or everything after the domain from the address would be stripped off (validname) and the value from username_domain would be appended (validname@domain1.com), and the log in would fail since that user is not valid on domain1.

Is there another setting that I'm missing somewhere?

Thanks.

Code: [Select]
$ svn info
Path: .
URL: https://svn.roundcube.net/trunk/roundcubemail
Repository Root: https://svn.roundcube.net
Repository UUID: 208e9e7b-5314-0410-a742-e7e81cd9613c
Revision: 3281
Node Kind: directory
Schedule: normal
Last Changed Author: alec
Last Changed Rev: 3281
Last Changed Date: 2010-02-22 11:26:25 +0000 (Mon, 22 Feb 2010)
« Last Edit: February 24, 2010, 02:38:25 AM by johnnyc »

Offline JohnDoh

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2,209
I can log in as a user on another domain
« Reply #1 on: February 24, 2010, 02:59:39 AM »
this is really easy to do using a plugin and the authenticate hook.
Roundcube Plugins: Contextmenu, SpamAssassin Prefs, and moreā€¦