Roundcube Still Has That Major Security Flaw!!!!!

[Delta-9]

opened new browser window, entered only password (for this user); logging in failed =>
=>
opened new browser windows (ie), entered only password (for this user); logging in failed
-------
-------
opened new browser window, entered only password for the first user I logged in with; succesfully logged in

Well then, there you go. It looks like it is looking at the first record in the database and tries the password against that record.

Interesting.

[fibbers]

...
[roundcube-root]/program/include/main.inc
on line 460 you should see something like this:

if ($sql_arr = $DB->fetch_assoc($sql_result))

...
The line then should look like this:

if ($sql_arr == $DB->fetch_assoc($sql_result))

...

I was a little too enthousiastic with posting I think , because if you make the change I wrote above, the preferences are not fetched from the database (at least in my case).

Now I just modified the 'rcmail_login' function in program/include/main.inc so that on line 423 I inserted:

Code Select Expand

if (empty($user) || empty($pass)) return false;
and this does work correctly

[bamnptow]

I can duplicate this, too.

The first user created in my system can logon without entering a user name. Subsequent users all need both username and password. This applies to Firefox and IE6.

I don't think it's a major crisis because anybody with an email from me can guess my username with no effort at all, but it is still a little disturbing!

[atrophic]

The default alias for any user is blank. Because of that a blank username pulls up the first user entered that doesn't yet have an alias. If you give the first user added an alias the second one is assumed when no username is supplied, etc.

Fix it with this patch:

Code Select Expand

--- main.bak.inc
+++ main.inc
@@ -451,7 +451,7 @@
  // query if user already registered
  $sql_result = $DB->query("SELECT user_id, username, language, preferences
               FROM ".get_table_name('users')."
-              WHERE mail_host=? AND (username=? OR alias=?)",
+              WHERE mail_host=? AND (username=? OR (alias=? AND alias!=''))",
               $host,
               $user,
               $user);


[Scubes13]

Just thought I would note that I am able to login without a username on our test installation as well. As stated earlier, it is the first user only.

Kevin L.

[AlexRezid]

The default alias for any user is blank. Because of that a blank username pulls up the first user entered that doesn't yet have an alias. If you give the first user added an alias the second one is assumed when no username is supplied, etc.

Fix it with this patch:

Code Select Expand

--- main.bak.inc
+++ main.inc
@@ -451,7 +451,7 @@
  // query if user already registered
  $sql_result = $DB->query("SELECT user_id, username, language, preferences
               FROM ".get_table_name('users')."
-              WHERE mail_host=? AND (username=? OR alias=?)",
+              WHERE mail_host=? AND (username=? OR (alias=? AND alias!=''))",
               $host,
               $user,
               $user);


Using this code breaks Preferences fetching from the database...

Use (as suggested somewhere) :

Code Select Expand

--- main.inc.old    2006-08-28 20:33:44.000000000 +0200
+++ main.inc  2006-08-28 20:33:08.000000000 +0200
@@ -420,6 +420,8 @@
  global $CONFIG, $IMAP, $DB, $sess_user_lang;
  $user_id = NULL;

+ if (!$user) return FALSE;
+
  if (!$host)
   $host = $CONFIG['default_host'];


[infoeon]

I have the same issue on .1 beta2. There are 6 users in my Roundcube database and can login as the first user listed with just the password. It does not appear to be a browser cache issue as it happens on IE and Firefox on the same machine and also Firefox on a seperate machine.

1) Log in with username and password on machine A
2) Log out on machine A
3) Log in with just password on machine A, or B, or C, ....

I checked the options in my config files and didn't find any that affected the issue.