| Author |
|
tardis2112
Newbie
Joined: 10 May 2007
Online Status: Offline
Posts: 10
|
| Posted: 20 August 2007 at 12:42pm | IP Logged
|
|
|
We are having a hard to track down problem with Webmail Pro. At intermittent times, users are redirected to mailboxes other than their own. We can't seem to reproduce the error, but have had several reports of this from our users. I have seen it happen twice myself. Once when deleting a folder, and once after hitting Get Mail on the list page. This is a huge security issue. We have a hundred users using the system and need help on this asap!
|
| Back to Top |
|
| |
Andrew
AfterLogic Support
Joined: 28 April 2006
Location: United States
Online Status: Offline
Posts: 1189
|
| Posted: 20 August 2007 at 11:08pm | IP Logged
|
|
|
Which database engine (exact name and version) you use as a backend for WebMail Pro 3.4? Whether users log into the system through standard login form or through RedirectUser class bypassing the standard login form (i.e. WebMail Pro 3.4 is integrated into your existing system)?
Have you made any modifications of the original source code (we remember that provided you with the custom modification done by us)?
Which web browser (exact name and version) did you use when the issue happened?
Could you please provide us with the following details:
- URL pointing to your WebMail Pro installation;
- a test account on your mail server (to let us log into the system);
- password to WebMail Administration Console or screenshots of all settings specified there;
- FTP with write permission to your WebMail Pro installation.
Please use Request Support Form for this purpose.
Best regards,
Andrew
|
| Back to Top |
|
| |
Andrew
AfterLogic Support
Joined: 28 April 2006
Location: United States
Online Status: Offline
Posts: 1189
|
| Posted: 22 August 2007 at 12:43am | IP Logged
|
|
|
Thank you for the FTP access and the test account you provided.
You're the first customer which encountered such issue for several years of WebMail Pro life.
We researched the source code of your WebMail Pro installation and found you made a lot of serious custom modifications of the original source code. Some of them affects security of the system.
There are a lot of various reasons which may cause the issue you encountered. Some suppositions:
- Something wrong with session necessary for correct work of WebMail Pro. Original RestoreAccountFromSession function contains approximately 100 lines, your version of the function named AFTCO_RestoreAccountFromSession contains only 10 lines. Perhaps, you missed something important during modification.
- We're not able to investigate the issue because we don't know where your system (WebMail Pro integrated in) creates an instance of RedirectUser class and initiates autologin process. You should make sure the username and other data passed to RedirectUser object are correct. Please note that wm_email is the only required parameter, other ones are optional:
Code:
<%
Set rUser = New RedirectUser
rUser.wm_email = "login@domain.com" ' Required parameter
rUser.wm_login = "login" ' Optional parameter
rUser.wm_password = "password" ' Optional parameter
rUser.wm_mailhost = "pop.domain.com" ' Optional parameter
rUser.UserLogin()
%> |
|
|
- We noticed your custom code actively uses cookies. Actually, number of cookies can be created by the same web site is limited to a certain number, but ASP session requires one cookie to identify the user. So if your custom code creates a lot of cookies, they may take the place of the ASP session cookie, so the session is lost and it's impossible to predict aftereffects.
- There are a lot of other possible reasons of the issue which might be caused by the custom modifications.
Also, please note, we're not able to provide support for versions of WebMail Pro which contain custom modifications done by customers themselves only if they argue the issue happens in the original source code or caused by the modifications done by us.
Best regards,
Andrew
|
| Back to Top |
|
| |
MailBee.NET Objects 
MailBee.NET Queue 
MailBee Objects 
WebMail Pro PHP 
AfterLogic Aurora 
MailSuite Pro for Linux 
Unified Messaging Solution 
Search
Register
Login
Topic: Security Issue!
Privacy policy |
Refund policy