The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Horde security bug?

Discussion in 'Security' started by ricardom, Apr 25, 2004.

  1. ricardom

    ricardom Active Member

    Joined:
    Mar 10, 2004
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    I note this in Horde Web Mail:

    Log in with the master account of the domain, on the top menu, the user can view anothers inboxes, that is owned by others users of the domain.

    For me this is a security hole, since that allow someone to spy others emails.

    Anyone knows how to disable this feature? (bug)

    Any help will be appreciated.
     
  2. Juanra

    Juanra Well-Known Member

    Joined:
    Sep 22, 2001
    Messages:
    777
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Spain
    Note that whoever knows the password for the main account can also see the raw contents of the email inbox files from cpanel or download them through FTP.
     
  3. charlie

    charlie Member

    Joined:
    Aug 19, 2001
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Note that whoever knows the password for the main account can also change webpages, look in the home directory, upload scripts and run the entire website.

    Horde seems to be set up so that the domain owner can manage all email on the domain.
     
  4. Juanra

    Juanra Well-Known Member

    Joined:
    Sep 22, 2001
    Messages:
    777
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Spain
    LOL. Note that whoever knows the password for the main account can also learn to play golf, phone his or her relatives, and dance the Macarena all night long.

    Even if Horde wasn't setup for the main account user to manage all email accounts in the domain, that wouldn't prevent him or her from spying others' emails, which was the OP's concern.
     
  5. ricardom

    ricardom Active Member

    Joined:
    Mar 10, 2004
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Squirrel dont do this, even neo-mail, this is not ethical to the others users of the domain.

    There are some way that this can be turned off?
     
  6. Izzee

    Izzee Well-Known Member

    Joined:
    Feb 6, 2004
    Messages:
    469
    Likes Received:
    0
    Trophy Points:
    16
    :) The shock that Internet users get when they are suddenly confronted with the fact that email, a post card equivelant in snail mail, can be read by server owners (a postman), including their very own ISP, never fails to make me smile.

    Now you might understand that if you want your email to be placed in the snail mail equivelant of an envelope you need to learn how to encrypt it. Do an Internet search for details.

    You can disable Horde or indeed any or all of the webmail progs in WHM under Tweak Settings and of course you don't have to look in other users Inboxes if you don't want to.
     
  7. ricardom

    ricardom Active Member

    Joined:
    Mar 10, 2004
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Im the only root of the server, and im ethical enough to dont read others emails, if others admin dont think that way, i am realy worry about this issue.

    I use encrypted emails, when i want to, but im dont worry about my emails, just to others emails, that can be viewed by the master user of the domains hosted in my server.

    I dont want to turn Horde off, this is very simple way to deal whith this issue, other way i just want to deny this feature (view all mail boxes) in Horde, like Squirell and NeoMail do.

    I look at the Horde Faq, and look at the conf files, but im not able to turn this feature off, someone here knows how to do that?
     
Loading...

Share This Page