Still problems with 1.4.19 and "you must be logged in" error

Hello

We are still having big problems with cookies under testing, before we
upgrade to 1.4.19.

These problems are stopping us from upgrading from 1.4.17 to 1.4.19
because with 20.000+ user of squirrelmail in our system, having to
delete all squirrelmail cookie information from their browser will not
be a practical solution (not to mention the telefon queue we would get
in the support senter when squirrelmail stops working for all of them at
the same time)

The problem is the one explained in:

[SM-USERS] upgrade to 1.4.18 gives "you must be logged in" error
[SM-USERS] 1.4.18 bug with src/redirect.php on php4.3.3

Description of the problem:

After upgrading to 1.4.19, the only page an user will see after logging
in will be the default page with the left/right frame and folders/INBOX
information. Any click after this point will show a "you must be logged
in" error.

The only way of getting rid of this problem is deleting all cookie
information from squirrelmail in your browser or reverting to 1.4.17.

Deleting this code in src/redirect.php:

--------------------------------------------------------------------
if (function_exists('session_regenerate_id')) {

    session_regenerate_id();

    // re-send session cookie so we get the right parameters on it
    // (such as HTTPOnly, if necessary - PHP doesn't do this itself

    sqsetcookie(session_name(),session_id(),false,$base_uri);
}
--------------------------------------------------------------------

Or applying this patch to src/redirect.php:

--------------------------------------------------------------------
-- src/redirect.php    (revision 13680)
+++ src/redirect.php    (working copy)
@@ -80,6 +80,8 @@
      */
     if (function_exists('session_regenerate_id')) {
         session_regenerate_id();
+        if (!headers_sent())
+           sqsetcookie(session_name(),session_id(),false,$base_uri);
     }

     $onetimepad = OneTimePadCreate(strlen($secretkey));
--------------------------------------------------------------------

Do not help and the problem is still there after these changes.

I think that the problem is not in src/redirect.php but in
function/global.php. This new code in 1.4.19 looks like a candidate for
being the origin of this problem, don't you think?:

--------------------------------------------------------------------
if (isset($_COOKIE[session_name()])) {
        sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri);

        /*
         * Make sure to kill /src and /src/ cookies, just in case there are
         * some left-over or malicious ones set in user's browser.
         * NB: Note that an attacker could try to plant a cookie for one
         *     of the /plugins/* directories.  Such cookies can block
         *     access to certain plugin pages, but they do not influence
         *     or fixate the $base_uri cookie, so we don't worry about
         *     trying to delete all of them here.
         */
        sqsetcookie(session_name(), $_COOKIE[session_name()], 1,
$base_uri . 'src');
        sqsetcookie(session_name(), $_COOKIE[session_name()], 1,
$base_uri . 'src/');
    }

    if (isset($_COOKIE['key'])) sqsetcookie('key', 'SQMTRASH', 1,
$base_uri);

    /* Make sure new session id is generated on subsequent
session_start() */
    unset($_COOKIE[session_name()]);
    unset($_GET[session_name()]);
    unset($_POST[session_name()]);
--------------------------------------------------------------------

Some tecnical information about our system:

- RHELS 5.3, Apache/2.2.11, PHP.5.2.8
- All traffic between the browser and apache uses SSL (port 443).
- Session data and userpref/addressbook are saved in a PostgreSQL database.


Do you need any more information?
How can we help to fix this problem?

regards
--
 Rafael Martinez, <r.m.guerrero@...>
 Center for Information Technology Services
 University of Oslo, Norway

 PGP Public Key: http://folk.uio.no/rafael/

------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises
looking to deploy the next generation of Solaris that includes the latest
innovations from Sun and the OpenSource community. Download a copy and
enjoy capabilities such as Networking, Storage and Virtualization.
Go to: http://p.sf.net/sfu/opensolaris-get
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

Hello

We are still having big problems with cookies under testing, before we
upgrade to 1.4.19.

These problems are stopping us from upgrading from 1.4.17 to 1.4.19
because with 20.000+ user of squirrelmail in our system, having to
delete all squirrelmail cookie information from their browser will not
be a practical solution (not to mention the telefon queue we would get
in the support senter when squirrelmail stops working for all of them at
the same time)

The problem is the one explained in:

[SM-USERS] upgrade to 1.4.18 gives "you must be logged in" error
[SM-USERS] 1.4.18 bug with src/redirect.php on php4.3.3

Description of the problem:

After upgrading to 1.4.19, the only page an user will see after logging
in will be the default page with the left/right frame and folders/INBOX
information. Any click after this point will show a "you must be logged
in" error.

The only way of getting rid of this problem is deleting all cookie
information from squirrelmail in your browser or reverting to 1.4.17.

Deleting this code in src/redirect.php:

--------------------------------------------------------------------
if (function_exists('session_regenerate_id')) {

    session_regenerate_id();

    // re-send session cookie so we get the right parameters on it
    // (such as HTTPOnly, if necessary - PHP doesn't do this itself

    sqsetcookie(session_name(),session_id(),false,$base_uri);
}
--------------------------------------------------------------------

Or applying this patch to src/redirect.php:

--------------------------------------------------------------------
-- src/redirect.php    (revision 13680)
+++ src/redirect.php    (working copy)
@@ -80,6 +80,8 @@
      */
     if (function_exists('session_regenerate_id')) {
         session_regenerate_id();
+        if (!headers_sent())
+           sqsetcookie(session_name(),session_id(),false,$base_uri);
     }

     $onetimepad = OneTimePadCreate(strlen($secretkey));
--------------------------------------------------------------------

Do not help and the problem is still there after these changes.

I think that the problem is not in src/redirect.php but in
function/global.php. This new code in 1.4.19 looks like a candidate for
being the origin of this problem, don't you think?:

--------------------------------------------------------------------
if (isset($_COOKIE[session_name()])) {
        sqsetcookie(session_name(), $_COOKIE[session_name()], 1,
$base_uri);

        /*
         * Make sure to kill /src and /src/ cookies, just in case there are
         * some left-over or malicious ones set in user's browser.
         * NB: Note that an attacker could try to plant a cookie for one
         *     of the /plugins/* directories.  Such cookies can block
         *     access to certain plugin pages, but they do not influence
         *     or fixate the $base_uri cookie, so we don't worry about
         *     trying to delete all of them here.
         */
        sqsetcookie(session_name(), $_COOKIE[session_name()], 1,
$base_uri . 'src');
        sqsetcookie(session_name(), $_COOKIE[session_name()], 1,
$base_uri . 'src/');
    }

    if (isset($_COOKIE['key'])) sqsetcookie('key', 'SQMTRASH', 1,
$base_uri);

    /* Make sure new session id is generated on subsequent
session_start() */
    unset($_COOKIE[session_name()]);
    unset($_GET[session_name()]);
    unset($_POST[session_name()]);
--------------------------------------------------------------------

Some tecnical information about our system:

- RHELS 5.3, Apache/2.2.11, PHP.5.2.8
- All traffic between the browser and apache uses SSL (port 443).
- Session data and userpref/addressbook are saved in a PostgreSQL database.


Do you need any more information?
How can we help to fix this problem?

regards
--
 Rafael Martinez, <r.m.guerrero@...>
 Center for Information Technology Services
 University of Oslo, Norway

We are experiencing the same exact type problems as mentioned above by
Rafael and are also running squirrelmail 1.4.19 on RHEL 5.3 with Apache
2.2.11 and PHP 5.2.5. I have tried commenting the whole IF statement around
line 82 in src/redirect.php and that did not work for us. I am using IE 7
to test.

What I am seeing is intermittent and varies as such:
1.  Sometimes when browsing to src/login.php I am redirected to the login
error page instead.
2.  When browsing to src/login.php and not redirected to the login page and
successfully log in, either both frames or one of the frames will be blank
while the other correctly displays the web content.
3. When browsing to src/login.php and not redirected to the login page and
successfully login, either both frames or one of the frames will display
webpage cannot be displayed while the other correctly displays the web
content.
4. Clicking on IE's refresh sometimes successfully refreshes the faulted
frame and other times takes you to the login error page.
5. After logging in with both frames working and just leaving the browser
sitting there with Inbox messages displayed, the left pane either goes
blank or displays webpage cannot be displayed. I think it must be occurring
during an auto refresh of the folders pane (as set in the folder options) .

When I  simply reconfigure httpd.conf to point to webmail-1.4.17 vice
webmail-1.4.19 and restart the httpd service all of the above problems go
away.

I have not seen a response back to Rafael's email above yet and was
wondering what the status of this is and if there is something that can be
done to correct this. I am anxious to go back to 1.4.19 because of all of
the security fixes contained in 1.4.18 including the very important fix
regarding remote execution of server side code.

r/Derek Wnek



------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises
looking to deploy the next generation of Solaris that includes the latest
innovations from Sun and the OpenSource community. Download a copy and
enjoy capabilities such as Networking, Storage and Virtualization.
Go to: http://p.sf.net/sfu/opensolaris-get
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

dwnek@... wrote:
[....]
Hello

We have found a way to avoid these problems.

We have deleted this code in src/redirect.php:

--------------------------------------------------------------------
if (function_exists('session_regenerate_id')) {

    session_regenerate_id();

    // re-send session cookie so we get the right parameters on it
    // (such as HTTPOnly, if necessary - PHP doesn't do this itself

    sqsetcookie(session_name(),session_id(),false,$base_uri);
}
-------------------------------------------------------------------

and this code in function/global.php:

--------------------------------------------------------------------

sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri . 'src');
sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri .
'src/');

--------------------------------------------------------------------

Maybe some of the developers can explain the implications of these changes.

With these changes, users logged in squirrelmail under the upgrade will
get the "you must be logged in" error, but everything will work without
problems when they logg in again after this.

It have been a nightmare since 1.4.19 was released knowing the version
we had in production had serious security problems and not been able to
upgrade.

We are very disappointed  with the null respond from developers we have
had on this issue.

regards
--
 Rafael Martinez, <r.m.guerrero@...>
 Center for Information Technology Services
 University of Oslo, Norway

 PGP Public Key: http://folk.uio.no/rafael/

------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises
looking to deploy the next generation of Solaris that includes the latest
innovations from Sun and the OpenSource community. Download a copy and
enjoy capabilities such as Networking, Storage and Virtualization.
Go to: http://p.sf.net/sfu/opensolaris-get
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

Rafael Martinez wrote:

>
> With these changes, users logged in squirrelmail under the upgrade will
> get the "you must be logged in" error, but everything will work without
> problems when they logg in again after this.
>

Correction, users will not have to login again after the upgrade is finish.

regards
--
 Rafael Martinez, <r.m.guerrero@...>
 Center for Information Technology Services
 University of Oslo, Norway

 PGP Public Key: http://folk.uio.no/rafael/

------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises
looking to deploy the next generation of Solaris that includes the latest
innovations from Sun and the OpenSource community. Download a copy and
enjoy capabilities such as Networking, Storage and Virtualization.
Go to: http://p.sf.net/sfu/opensolaris-get
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

On Mon, 08 Jun 2009 11:30:12 +0200, Rafael Martinez
<r.m.guerrero@...> wrote:

>
>Maybe some of the developers can explain the implications of these changes.

It was in response to a security report.  We try to overwrite the
cookies that may already be set in the src/ directory to stop a hacker
from attempting to steal information.

>With these changes, users logged in squirrelmail under the upgrade will
>get the "you must be logged in" error, but everything will work without
>problems when they logg in again after this.

I've not seen the issue myself, but then cannot say I run on a large
variety of systems, so you may be coming across a combination we don't
know about.

What are you settings for session.auto_start in your php.ini?

It's probably possibly that we should be pushing the call to the
regenerate_id into src/login.php instead of src/redirect.php.

>It have been a nightmare since 1.4.19 was released knowing the version
>we had in production had serious security problems and not been able to
>upgrade.

>We are very disappointed  with the null respond from developers we have
>had on this issue.

I did notice that your report says you're using PHP 5.2.8, Chris
Hoogendyk reported a similar issue with 1.4.18, and had several
platforms upgraded.  Those running PHP 4.x worked, whilst the one
running 5.2 failed.  I'm running 5.2.0 without issues, so I'm
wondering if there might be additional changes that might cause some
problems, or a link between browsers too.

--
Jonathan Angliss
<jon@...>



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

On Thu, 11 Jun 2009, Jonathan Angliss wrote:

So is this the final word on this problem? We are having the same problem
with our setup.

Thanks,

Ken

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

On Wed, 17 Jun 2009 15:16:37 -0700 (PDT), SquirrelMail Email List
<sm@...> wrote:

I had not heard anything back from the original poster of the issue,
so I'm not sure what I can say.  As you're able to reproduce the same
issue, can you provide us with some more details? Platform? Web
server? PHP version? Plugin details?

--
Jonathan Angliss
<jon@...>


------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

On Thu, 18 Jun 2009, Jonathan Angliss wrote:

Sure. We're running a Debian Etch system here.

Apache2 version 2.2.3-4+etch8

Apache/2.2.3 (Debian) mod_auth_kerb/5.3 mod_fastcgi/2.4.2 PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2
Perl/v5.8.8 configured -- resuming normal operations

mysql-server-5.0 version 5.0.32-7etch10
postfix version 2.3.8-2+etch1
courier-authlib-mysql version 0.58-4+etch3

This system runs 2 gigs of memory.

Plugins:
     1. vlogin
     2. delete_move_next
     3. calendar
     4. message_details
     5. newmail
     6. sent_subfolders
     7. translate
     8. listcommands
     9. compatibility
     10. abook_import_export
     11. view_as_html
     12. timeout_user
     13. quicksave
     14. mail_fetch
     15. twc_weather
     16. unsafe_image_rules
     17. preview_pane
     18. cookie_warning
     19. askuserinfo
     20. folder_synch
     21. squirrel_logger
     22. vkeyboard
     23. change_sqlpass
     24. calendar_sql_backend
     25. sasql
     26. abook_group_pagination
     27. add_address
     28. select_range
     29. compose_extras
     30. filters
     31. squirrelspell
     32. dictionary
     33. get_uuencode
     34. custom_charset



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

On Thu, 18 Jun 2009, SquirrelMail Email List wrote:


I figured out the problem. I had at one point upgraded my php from version
4 to version 5. In version 4 I had set "session.auto_start = 0" but in
upgrade to verion 5 it got set to "session.auto_start = 1".

Squirrelmail version 1.4.17 worked fine with set on but 1.14.19 did not.
So set "session.auto_start = 1" in your php.ini file.

Ken

------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

On Mon, 29 Jun 2009, SquirrelMail Email List wrote:

Sorry made a mistake set "session.auto_start = 0" in your php.ini file.

Ken

------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

On Tue, Jun 30, 2009 at 6:35 AM, SquirrelMail Email List<sm@...> wrote:
If you had run src/configtest.php, you would have seen the issue right
away.  Always run configtest.

--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donations.php

------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

No need to double-post.  I am responding on the -users list here just
to say I am only going to reply further on the -devel list.

Show links please.  I don't see anything when searching for these:

http://search.gmane.org/?query=1.4.18+bug+with+src%2Fredirect.php+on+php4.3.3&author=&group=gmane.mail.squirrelmail.user&sort=date&DEFAULTOP=and&xP=Zbug%0918%09src%09redirect%09php&xFILTERS=Gmail.squirrelmail.user---A

http://search.gmane.org/?query=upgrade+to+1.4.18+gives+%22you+must+be+logged+in%22+error&author=&group=gmane.mail.squirrelmail.user&sort=date&DEFAULTOP=and&xP=Zupgrad%09Zgive%09Zmust%09Zlog%09Zerror&xFILTERS=Gmail.squirrelmail.user---A


And they *shouldn't* help.  The second "fix" here doesn't do anything
since that code should always run when headers have not been sent
unless a poorly coded plugin is in use.

> I think that the problem is not in src/redirect.php but in
> function/global.php. This new code in 1.4.19 looks like a candidate for
> being the origin of this problem, don't you think?:

I can't think anything because no one has been able to tell me how to
reproduce it.  This code merely kills the current cookies in the
browser, if any.

We need a reliable way to reproduce it.  You seem to be able to
reproduce it, so please explain how we can see the issue.  In
particular, what cookies have to be in the browser?  What browser do
you test with?  What about other browsers?  If you want to give
someone on the SM team access to your test environment, one of us
might be able to take a look at it there.

I ran some test code that sets a cookie in /src then rebooted the
browser and it works fine.  SM deletes the /src cookie as it was
designed to and logs in fine.  Deleting all user cookies is not
necessary that I know of.

--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donations.php

------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

On Tue, 30 Jun 2009, Paul Lesniewski wrote:

That is something I have put on the updates list to do from now one.

Thanks,

Ken

------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users