helpdesk-login

Forster, Gabriel Gabriel.Forster at searshc.com
Thu Dec 3 16:20:09 CET 2015


So, it was found that there is an implementation of CSRF in newer versions of roundcube. Doesn't work well and isn't needed for our purposes. It was allowing authentication, but would not display of the user's mailbox.

We are using the following workaround - basically comment out things related to CSRF.

comment out check request token and check referer ~line 871 /usr/share/roundcubmeail/program/include/rcmail.php

comment out CSRF prevention section line ~239 /usr/share/roundcubmeail/index.php

add ErrorDocument for the 404 to /usr/share/roundcubmeail/.htaccess


It now works flawlessly for us. We still aren't quite sure what exactly is generating the token in the first place, thus the modification to .htaccess

Gabriel Forster - Email Engineering (Kolab)
________________________________
From: Forster, Gabriel
Sent: Friday, October 30, 2015 10:16 AM
To: alby87 at inwind.it; users at lists.kolab.org
Subject: RE: Re: helpdesk-login


Any idea where the referenced template is now?

http://git.kolab.org/pykolab/tree/share/templates/roundcubemail/kolab_auth.inc.php.tpl

getting a 404 error after authenticating as another user (the auth is successful)

Gabriel Forster
________________________________
From: users-bounces at lists.kolab.org [users-bounces at lists.kolab.org] on behalf of alby87 at inwind.it [alby87 at inwind.it]
Sent: Wednesday, October 28, 2015 4:35 AM
To: users at lists.kolab.org
Subject: R: Re: helpdesk-login

Hi

I wrote on this list some times ago about this, I got this response

http://lists.kolab.org/pipermail/users/2014-December/018418.html

Just clone what you use for accessing yourserver.com/webmail calling it (mandatory) 'helpdesk-login'

Hope this helps :D
----Messaggio originale----
Da: trogdor at gabrielforster.com
Data: 27/10/2015 12.42
A: <users at lists.kolab.org>
Ogg: Re: helpdesk-login

Any ideas? Still can't figure out why this isn't working in Kolab 3.4

On Tue, Oct 20, 2015 at 10:43 AM, Trogdor Wasaman <trogdor at gabrielforster.com<mailto:trogdor at gabrielforster.com>> wrote:
Anyone know how to set this up? We have the correct info in our kolab_auth.php


if (( preg_match('/webmail', $_SERVER["HTTP_HOST"]) ) &&


   preg_match('/^\/helpdesk-login\//', $_SERVER["REQUEST_URI"]) ) {


   // Login and password of the admin user. Enables "Login As" feature.

   $rcmail_config['kolab_auth_admin_login']    = "MASKED";

$rcmail_config['kolab_auth_admin_password'] = "MASKED";               $rcmail_config['kolab_auth_auditlog'] = true;

When navigating to /helpdesk-login, there isn't anything there. As if there should almost be another instance of roundcube.  I can't find any documentation on this feature.



This message, including any attachments, is the property of Sears Holdings Corporation and/or one of its subsidiaries. It is confidential and may contain proprietary or legally privileged information. If you are not the intended recipient, please delete it without reading the contents. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/users/attachments/20151203/5993af20/attachment.html>


More information about the users mailing list