Zarafa socket warning

Someone (of my family) has noticed that he could login to the Zarafa webaccess without a passwd
I was very surprised coz I had never tried to login with a wrong passwd

It seems that if your php is running with the same account as your Zarafa server the socket grants everything

What was I thinking when I changed this server to apache2-mpm-worker and fastcgi (exept the fact for tuning my apache)
taking a simple username for zarafa ...
Forgotten that Zarafa was running with the user zarafa!
And even worse I did not check for wrong passwords after migrating

So if you want to SuexecUserGroup create a uniq uid
Also playing save is switching the socket to a tcp socket
The http socket will alway's ask for credentials

(vi /usr/share/zarafa-webaccess/config.php)
- define("DEFAULT_SERVER","file:///var/run/zarafa");
+ define("DEFAULT_SERVER","http://localhost:236/zarafa");

(don't forget z-push and webaccess-mobile they have there own config file)

By mario at 05/31/2010 - 18:19
Add new comment

mario.verbelen.org

Zarafa socket warning

Search