Horde Webmail Disabled

[twohawks]

Hi Guys, Thank you for your attnetion to this, but I wish I'd had an alert about it from you instead of my clients though!

Anyway - THERE's STILL A PROBLEM - AND ITS HUGE ...if we go to Horde we get the message you put up... this is good. HOWEVER, my clients are going to yahoo because they do not know the difference between the addressbar and the search bar, so when they type in the address they have for accessing their Horde Webmail, Yahoo Search results with a link. THIS LINK IS TAKING ANYONE, AND I MEAN ANYONE, DIRECTLY INTO THEIR HORDE EMAIL - WITHOUT LOGGIN IN OR ANYTHING - BANG YOU'RE IN!!!
I JUST DID THIS ON TWO ACCOUNTS!! HOW DO I STOP IT?

ITS ON ALL MY ACCOUNTS! I'm on PUMA.

[twohawks]

If I go directly to http://www.thedomain.com:2095/horde/index.php
I see the alert message you put up,
But the Yahoo link goes right in without being logged in. Here's an example...
http://rds.yahoo.com/_ylt=A0oGkxkpfd...orde/login.php

Of course, I am sure any search will have its own pseudo-encryption, but that's the deal.

[GatorBrent]

100,000's of people were emailed about this today.

http://www.securityfocus.com/archive.../30/0/threaded

[twohawks]

I hope tech support doesn't get upset with my posting here as well as in my support ticket... but I feel others should know about this...

My message to support a little while ago...
"More info, and another request. I need to be able to log users out of their email accounts - but I do not know how this is possible?

I am getting reports that users can use their back button to go back into their Horde email from computers where they have logged in (from). This means if anyone has logged in from somewhere else they supposedly can get into those accounts. I am unable to reproduce the problem from my computer here, but I was just on the phone with a very upset client and I can reproduce the problem on their machine! they are insisting I either shut down the accounts or log them out from the server. I need to know how I can do this, and/or I need you to log everyone out of their email on all of my accounts please."

More info... I tried logging them out by having them go into Squirrel instead and using the "Signout Button" there because in Horde right now the sidebar with the logout button is not present - so we thought they could not log out simply because there's no button for doing so. Logging out from squuirrle did not work. I was sure to close their browser and clear cache and cookies and do this again, both before and after, but no way... they get back in every time.

I cannot do it from my win2k machine. They are using WinXP over there.

Interestingly I had this reported to me weeks ago, about getting back in when they thought they'd logged out. Since I could not reproduce the problem here I thought it was a fluke (cookies or whatever)... but now I am really concerned about this. BTW, they reported this before while using either Squirrel or Horde.

[twohawks]

Its been almost an hour and I am getting no responses from tech support - but you can be assured my clients are crawling up my behind on this one...
Anyone know how I can log people out of their email accounts without shutting down their accounts entirely?

[ghpk]

cookies has been problem with few cpanel versions, they keep WHM & Webmail logged in for same system on a few browsers.

its not the Hostgator issue, infact however you can suggest your client to clear temp internet files and cookies till this bug is solved by cpanel team.

[twohawks]

Hi Folks,
Can anyone else confirm these results?
This is what I got so far on reentering into Horde after supposedly having successfully logged out...

1) Login to Webmail at www.thedomain.com/webmail
2) Choose Horde - you will see the message left by Hostgator
3) Change "index.php" at the end of the url in the addressbar to "login.php", or select it from history in the address bar (or a link you keep, or from wherever... links relating to your horde email )
4) You will get the Horde Login Button
5) Click the Login button to enter - but you will get Hostgators message
6) Click your back button and you are in Horde
7) If you are not in Horde, try other saved links or history link... like I did this in another browser (IE 5.5 and IE6) where I did not get in on #6, but when I selected a link such as
"http://www.thedomain.com:2095/horde/imp/mailbox.php?mailbox=INBOX&actionID=login
....I went right in.

8) Since you cannot logout from there because the sidebar is gone, go to www.thedomain.com:2095/webmail
8) Click on Squirrelmail
9) Click SignOut
10) Click the Back button dismissing prompts to login. Eventually, going back and forth, you may get into your webmail.

11) If you do not get into your email you may see that you do access the Horde page with the login button.
12) when you click it it seems you cannot get in.
13) Then selecting www.thedomain.com/webmail gives you the webmail client selector.
14) From there you can click right into your webmail via Squirrel or Horde. Again, with Horde you may need to "accidentally select" your login.php page, either using back button or history links...

That's what I got so far, and I can duplicate it every time... on my Win2k Box, so this is not XP dependant as may have been implied by earlier posts.

What's up with this?

[twohawks]

Quote:

Originally Posted by ghpk

cookies has been problem with few cpanel versions, they keep WHM & Webmail logged in for same system on a few browsers.

its not the Hostgator issue, infact however you can suggest your client to clear temp internet files and cookies till this bug is solved by cpanel team.

Hi ghpk,
Thank you for the post.
As I clearly stated in my earlier post, we did clear cookies and cache during testing - didn't make any difference.

[mikemac]

Quote:

Originally Posted by GatorBrent

100,000's of people were emailed about this today.

http://www.securityfocus.com/archive.../30/0/threaded

Hi Brent, I have a HG Baby package that I was thinking of upgrading to an Aluminum reseller (with second thoughts now).

Should I have received that e-mail you are talking about?

The reason why I ask is because I didn't receive it.


Is it okay to use Horde now? I can log in and out of it now but after reading twohawks' posts I'm wondering whether I should be. SquirrelMail too for that matter, again seeing twohawks' posts.

All along I have been logging into my webmail with the link I get when I log out. You know the login_theme=cpanel link on this page, http://example.com:2095/webmaillogout.cgi I have just bookmarked that page and use it to log into 3 e-mail accounts I have. Is that a problem? I see most in here are using this link http://www.example.com/webmail

Obviously example means domain.

Thanks
Mike

[mikemac]

Quote:

Originally Posted by twohawks

2) Choose Horde - you will see the message left by Hostgator

I assume this message left by Hostgator has been removed. It must have been cause I don't see it.

Mike

[twohawks]

Hi MikeMac,
Yeah, I still see the message there - "Horde has been disabled due to a security vulnerability. "

This was a real day from hell. Just received a response from Hostgator support ...about 10 hours later. This is so frustrating and disappointing.

I never have expected support to respond immediately to anything, but when this is such a major thing effecting everone, and I have gone to lengths to investigate and provide reproducable results for a very disturbing problem... damn it, I expect better than waiting all day while my clients are left only to lose complete confidence in the support I am trying to provide them on account of being left holding the ball by myself.

This was a horrible day for my business because of this.. .not due to the problem, but due to lack of any supportive response from Hostgator support so I could have had some help for handling it better.

I am also surprised no one else here has responded to what I posted... surely if I was able to reproduce such alarming results to a security risk that obviously affects us all, then others would be interested and checking this out ...no?

Or maybe I am expecting too much, that our email should be more secure?

[twohawks]

BTW, I found that if I ftp into /etc/domain.com/@pwcache and mess directly with the "passwd" entry, as soon as the client's email refreshes they are effectively out, and cannot get back in without logging in again.
This means I can effectively "logout" anyone remotely if I know the refresh is within a certain time period.

However... here's something interesting, you would think the hash (digest-ha1) if changed in this file would effectively render the client session inoperable, but this is not the case. I did some research on this and found some not so encouraging information about this form of "Digital Acces Authtication" reliability. I am not the expert so maybe this is not "it", but the fallability referred to in this article (http://en.wikipedia.org/wiki/Digest_...authentication) left me wondering. Seems more likely to me to be an issue there than cookies, when I have already conducted tests that I think clearly rules out cookies as being the problem.

Either DAA falability is a factor here, and/or I would consider the php code for managing this webmail might not be coded well/securely enough.

I would be interested in any of your thoughts on this.

Cheers,
TwoHawks

[slapshotw]

TwoHawks,

You're not going to get the kinds of answers or solutions you're looking for here. You'd have better luck at the cPanel forums, because the hostgator installation is just the cPanel installation, or one of the horde lists: http://www.horde.org/support.php .

-Matt

[mikemac]

Quote:

Originally Posted by twohawks

Hi MikeMac,
Yeah, I still see the message there - "Horde has been disabled due to a security vulnerability. "

I have not seen that message for two days now twohawks.

That is why I am asking "Is it okay to use Horde now?"

I can log in and out of Horde okay now but I don't know whether I should be or not.

An official reply from HG would be handy right about now.

Mike

[Koni]

Quote:

Originally Posted by mikemac

An official reply from HG would be handy right about now.

http://forums.hostgator.com/newreply...reply&p=106775

[quietFinn]

Quote:

Originally Posted by mikemac

I have not seen that message for two days now twohawks.

That is why I am asking "Is it okay to use Horde now?"

I can log in and out of Horde okay now but I don't know whether I should be or not.

An official reply from HG would be handy right about now.

Mike

If it was not safe it would be still disabled.
They have enabled it because it is safe.

[esl]

Quote:

Originally Posted by GatorDaveC

Everything is patched now. We have made our own patch for Horde, CPanel has done the same to strip out the malicious code from being injected.

If you would you like to get the update right a way on your dedicated servers, please go to http://forums.hostgator.com/showthre...d=1#post106772

Nice work Dave. I appreciate everything you do to keep HostGator up and running at "full speed!"

[BigBadFun]

Quote:

Originally Posted by GatorDaveC

Everything is patched now. We have made our own patch for Horde, CPanel has done the same to strip out the malicious code from being injected.

I'm on shared server 4RUNNER - Horde still disabled - do I need to do anything??

[GvilleRick]

I would contact support and make them aware. You can submit a ticket or contact Live Chat. It may have just been overlooked.

[twohawks]

Quote:

Originally Posted by slapshotw

TwoHawks,

You're not going to get the kinds of answers or solutions you're looking for here. You'd have better luck at the cPanel forums, because the hostgator installation is just the cPanel installation, or one of the horde lists: http://www.horde.org/support.php .

-Matt

=====================
Thanks, slapshotw

BTW, Right now (we are on Puma) Horde Webmail is still displaying the Hostgator message (i.e., must be disabled). I thought it was declared fixed?

[Jordanlw]

Email support,
The server may have been overlooked.

[twohawks]

Thanks Jordan.
***I just wish to thank Hostgator staff for their attentive efforts -
***thank you.

However, I feel there are still some potentially serious problems that have come to light in the wake of all this. To anyone reading this, I have started a new thread here:
http://forums.hostgator.com/showthread.php?p=107279

...regarding how I am gaining access not only to webmail (which is still the case) but also to my WHM ...after logging out, even after clearing cookies and cache and restarting my browser.

I wish to know if anyone else is able to reproduce my results, and how we can get this addressed. Mind you, this is a cPanel problem, but I feel that, if true, then it effects us all over here at Hostgator. Of course, it could be I am overlooking something while I am testing - it would be a delight if someone were able to help me see if/how that's the case.

Cheers,
TwoHawks

[Lindsey]

So what email can we use

[Rockoids]

Quote:

Originally Posted by Lindsey

So what email can we use

Without criticizing anyone, I have found SquirrelMail and RoundCube far better than Horde. But to each his own.

In any case, my company's email is funneled through Google Apps these days, and Google's Webmail, when I need to use it, remains a delight. And they have the best spam filtering in the industry. It's far better than SpamAssassin, even though you can come close with decent configuration and a little trial and error.

[slapshotw]

TwoHawks--

If you have found a serious problem I suggest two things:

1. Posting it to the cPanel forums
2. Posting a bug in cPanel bugzilla: http://bugzilla.cpanel.net/

We will benefit most if that community is made aware.

-Matt