Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Users are seeing other users mailboxes in Webmail since 7.1.0 (Users are seeing other users mailboxes in Webmail since 7.1.0)
  •  
exportgoldman

Messages: 39
Karma: 1
Send a private message to this user
Hello Everyone,

We publish our Kerio Connect server via Microsoft ISA Server 2004, and have rules setup to not cache any kerio webmail traffic.

This has worked fine for about a year now, but in the last few weeks we have users logging onto webmail and seeing other users mailboxes.

This either happens straight away, or after viewing a few messages, and the mailbox can change several times, eg hitting next message jumps me to joes mailbox, then next again jumps me to johnnys mailbox etc.

Is anyone else having this issue? Any ideas? Clearing the cookies (Kerio seems to store two cookies) fixes it for a while.
  •  
mrralan

Messages: 151
Karma: 3
Send a private message to this user
Has anyone else seen this or just exportgoldman?
  •  
hgoldman

Messages: 4
Karma: 0
Send a private message to this user
Yes we also have this. We find this to be a critical bug.
  •  
mrralan

Messages: 151
Karma: 3
Send a private message to this user
Are you also using a Microsoft ISA Server?
  •  
hgoldman

Messages: 4
Karma: 0
Send a private message to this user
No we have a clean machine running connect v7.1 connecting to a active directory setup.

However when a user logs in then he gets some weird errors and when he refreshes then he is another user. This happened both using IE8 and Chrome.
  •  
exportgoldman

Messages: 39
Karma: 1
Send a private message to this user
First a correction, we are using ISA Server 2006.

I fired up firebug which is a add-on for Firefox for developers to do troubleshooting, and from my limited programming skills, it appears the script on the CLIENT is requesting another users mailbox, and the server is happly handing that down to the client.

Looks like a security hole
, if you check the server console the user which is connected to the webmail session according to the Kerio Admin console is still the original user.

This is definitely not allowing us to 'Connect.Communicate and Collaborate Securely.'

The ISA Server is 'bridging' the SSL Connection, and is set to make all requests to appear to come from the ISA Server, not individual users.

ActiveSync on Kerio doesn't break (I suspect since Microsoft wrote that spec they have already put fixes in the spec to avoid these types of issues.) wiki's on Apple OSX don't break and Kaseya on IIS don't break all while using this exact config.

It appears the only thing which breaks is the php code for the Kerio webmail.

I would hazzard a guess and say the code has a bug which keeps track of users by IP address instead of cookies (although there are two cookies issued by webmail from what I can figure out.)

This is also a showstopper for us as well.

Also to note, we get no errors in Firefox using either full or mini webmail. Just another users mailbox. It will change multiple times per session.

[Updated on: Tue, 17 August 2010 23:34]

  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Hi,

Our research makes us believe that this issue is probably caused by mis-configuration on the proxy server (ignoring certain HTTP headers and cache directives). I would like to ask you to open a ticket at http://support.kerio.com to get in a contact outside of this public forum. We need some details in order to help you resolve the issue and find out the real cause.
Thank you.
  •  
exportgoldman

Messages: 39
Karma: 1
Send a private message to this user
Thankyou for your response. We have logged a ticket and are awaiting a response. To note, we have disabled caching on the Kerio URL's in ISA, and completely disabled the ISA Disk Cache.

Interestingly enough when looking at the requests to webmail in the ISA logs, ISA is not seeing the non-cachable flags set, assuming above as you stat that Kerio are inserting these flags into the HTML.

[Updated on: Fri, 20 August 2010 00:50]

  •  
Tim Heger

Messages: 4
Karma: 0
Send a private message to this user
We are having the same issue since upgrading to 7.1. I opened a support ticket Aug 13 but have not received any solution to this critical problem yet. I consider this a sev 1 issue and significant security breach. This needs to be resolved ASAP.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Tim, I checked other tickets in the eSupport system and found that you're running proxy server and there were some troubles with that. So it seems to be an issue caused by proxy server mis-configuration. We've checked all changes between 7.0.x and 7.1.0 and found no relevant change explaining the issue.

However, we do have a possible workaround. I will send it to you in PM. But even with the workaround mis-configured proxy server will remain to be a significant security threat to any web application. Proxy server MUST NOT cache responses to the POST HTTP requests unless it is explicitly allowed in the HTTP headers:

Quote:
Responses to this method are not cacheable, unless the response
includes appropriate Cache-Control or Expires header fields. However,
the 303 (See Other) response can be used to direct the user agent to
retrieve a cacheable resource.

The situation is much worse if the proxy server is caching also encrypted HTTPS traffic which in fact becomes unsecured.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
If there is anyone still experiencing this issue, please let us know!
If you're running Apache reverse proxy on Windows, make sure you don't hit the security issue in Apache: http://www.securityfocus.com/archive/1/archive/1/511809/100/ 0/threaded

Otherwise, please gather HTTP Server and PHP Messages debug messages from the Kerio Connect server and contact our technical support.
Thank you for cooperation.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
The problem has been found and will be addressed in next service release. As a workaround you can disable keep-alive connections in the HTTP reverse proxy you use. For Apache it is an option 'SetEnv proxy-nokeepalive 1'.
  •  
Brendan_CSEL

Messages: 2
Karma: 0
Send a private message to this user
We've got the same problem.

Does anyone know how to disable keep-alive for the reverse proxy in ISA Server 2006?
  •  
nbytes

Messages: 8
Karma: -2
Send a private message to this user
I have the same problem and I can not solve it,
I've opened a ticket on suport and nothing

I need help urgently!
nbytes

Messages: 8
Karma: -2
Send a private message to this user
How I can disable keep-alive connections in ISA SERVER 2004?

[Updated on: Fri, 19 November 2010 20:00]

Previous Topic: Kerio Connect 7.1.2 patch 1 released
Next Topic: OD user, Kerberos auth and DNS conf
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Nov 19 02:32:27 CET 2017

Total time taken to generate the page: 0.00573 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.