About new security in SquirrelMail 1.4.20rc2
|
View:
New views
5 Messages
—
Rating Filter:
Alert me
|
 |
About new security in SquirrelMail 1.4.20rc2
by Fernando Gozalo
::
Rate this Message:
Hello:
Please, consider to change in /src/options.php the line if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) { ^^^^^^^ for if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_FORM)) { ^^^^^^^ Plugins that return to options.php after save only can pass the token in URL. Thanks. Fernando. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@... List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users |
|
|
Re: About new security in SquirrelMail 1.4.20rc2
by Paul Lesniewski
::
Rate this Message:
On Fri, Sep 11, 2009 at 1:35 AM, Fernando Gozalo <fgozalo@...> wrote:
> Hello: > > Please, consider to change in /src/options.php the line > > if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) { > ^^^^^^^ > for > > if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_FORM)) { > ^^^^^^^ > > Plugins that return to options.php after save only can pass the token in > URL. Please provide an example plugin -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@... List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users |
|
|
Re: About new security in SquirrelMail 1.4.20rc2
by Fernando Gozalo
::
Rate this Message:
El 11/09/09 19:51, Paul Lesniewski escribió:
> On Fri, Sep 11, 2009 at 1:35 AM, Fernando Gozalo<fgozalo@...> wrote: >> Hello: >> >> Please, consider to change in /src/options.php the line >> >> if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) { >> ^^^^^^^ >> for >> >> if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_FORM)) { >> ^^^^^^^ >> >> Plugins that return to options.php after save only can pass the token in >> URL. > > Please provide an example plugin > It's a custom plugin. I thought that "newmail" have the same problem, but looking more carefully is posibly that "newmail/newmail_opt.php" only need a hidden 'smtoken'. Have the change implications I don't see? Thanks, Fernando. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@... List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users |
|
|
Re: About new security in SquirrelMail 1.4.20rc2
by Paul Lesniewski
::
Rate this Message:
On Fri, Sep 11, 2009 at 11:47 AM, Fernando Gozalo <fgozalo@...> wrote:
> El 11/09/09 19:51, Paul Lesniewski escribió: >> On Fri, Sep 11, 2009 at 1:35 AM, Fernando Gozalo<fgozalo@...> wrote: >>> Hello: >>> >>> Please, consider to change in /src/options.php the line >>> >>> if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) { >>> ^^^^^^^ >>> for >>> >>> if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_FORM)) { >>> ^^^^^^^ >>> >>> Plugins that return to options.php after save only can pass the token in >>> URL. >> >> Please provide an example plugin >> > > It's a custom plugin. > > I thought that "newmail" have the same problem, but looking more > carefully is posibly that "newmail/newmail_opt.php" only need a hidden > 'smtoken'. I haven't seen any plugins that have a problem with the code as it is, but probably haven't tested them all. If you can't point to a public one that has a problem here, please tell us about what your plugin is trying to do. -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@... List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users |
|
|
Re: About new security in SquirrelMail 1.4.20rc2
by Paul Lesniewski
::
Rate this Message:
>>>> Please, consider to change in /src/options.php the line
>>>> >>>> if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) { >>>> ^^^^^^^ >>>> for >>>> >>>> if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_FORM)) { >>>> ^^^^^^^ I verified that this is needed in some cases. I have made this change. Thanks for the request. -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@... List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users |
| Free embeddable forum powered by Nabble | Forum Help |
