[EMAIL PROTECTED] wrote:
Florian Munz wrote:>>
Hi Mike,
How do you do the authentification? Is there Re-Authentifaction necessary or can the user directly edit the webuserprefs from qmailadmin without new user/passwd input?
Qmailadmin uses dom and moduser to determine which account to modify. Webuserprefs assumes, if you provide it with those variables, that this is a trusted connection. My solution is to present a login box if webuserprefs/index.php is called with a GET method and to trust/use the provided data if a POST method is used. Here is the modified part of webuserprefs/config.php:
Just checking for data in $_POST is still pretty easy to spoof. To insure there really is a QmailAdmin login that matches the credentials you have been presented with you should look for QmailAdmin's session file.
$path = "/absolute/path/to/~vpopmail";
$user = $_POST[ 'user' ]; $dom = $_POST[ 'dom' ]; $time = $_POST[ 'time' ];
$SessionFileName = "$path/domains/$dom/$user/Maildir/$time.qw";
if( !file_exists( $SessionFileName )) {
die( "Session has been spoofed!" );
}If you want to go further, and you believe in IP address checking, you can open the file and verify the IP address contained in it matches the IP address making the request. This can be a problem unless you have control of the entire network. It is a ./configure option in QmailAdmin which I for one leave off.
Rick
