SqWebMail security

This document discloses security-oriented issues regarding the SqWebMail CGI application.

In this document:

User IDs and Passwords

SqWebMail's security scheme requires a valid userid/password to access an account. The actual method for validating the userid and password is a black-box module that can be easily replaced. The example black-box implementation uses the PAM library, if available, or with the /etc/passwd, /etc/shadow and the crypt() function.

It is possible to configure SqWebMail to transmit the userid and password via secure HTTP. If secure HTTP is not available, the userid and password is transmitted over the network in the clear, which can be picked up by a sniffer.

Mailbox IDs

After a userid and password is authenticated, the authentication module returns a 'mailboxid'. The mailboxid is used as a handle for the mailbox. A mailboxid may not necessarily be the same as the userid, but the sample authentication modules make them the same.

Technically, the mailboxid that's generated by recent versions of sqwebmail are of the form "userid.method", where method represents the authentication module that was used.

A mailboxid is sent with every HTTP request, in the request itself. Note that the mailboxid is transmitted over the network in the clear. It is also possible to use secure HTTP for the every HTTP request, not just initial authentication, but this has not been tested.

Unless the mailboxid is the same as a userid, there aren't many security considerations in having the mailboxid broadcasted over the network. That's because the mailboxid in the HTTP request is usually validated based on a time-limited IP address (see "Authentication"). Note that there certain other potential ways - in addition to network traffic sniffing - for an unauthorized party to attempt to grab mailboxids. See "Browser Security - HTML", and "Browser Security - Referrer: Tags".

Authentication

Once the user ID and password are authenticated, authentication for subsequent HTTP requests is based on a combination of an IP address, plus a 128-bit random number that was generated during the login.

By default, SqWebMail permits access to the mailbox only from the same IP address as the one where the user ID and password was authenticated from. This can be selectively turned off at login time, in cases where the client is behind a load-balancing firewall that uses multiple IP addresses. In all cases, a 128-bit random number must be transmitted with every HTTP request, and it must match the number generated during the login, which is saved in the Maildir directory.

The Maildir directory must therefore have any group or world access rights disabled. Additionally, every page served by SqWebMail includes HTTP headers containing instructions to proxies and browsers that prohibit this page from being cached. There are some buggy web browsers out there - most of them originating in Redmond,WA - that ignore these caching directives, and they end up saving the 128-bit random number in the local cache. Unless access to the physical machine is secured, the local cache can be trawled to obtain the 128-bit authentication token.

However, access to the mailbox