neoname
neoname
bing
Home | About Us | Services | Login | Contact Us
--==-- Donate --==--
Voluntary donations are greatly appreciated to help cover the cost of hosting.

Donations to date: 1 totaling $10
Thank you for supporting this site!
Pay me securely with your Visa, MasterCard, Discover, or American Express card through PayPal!
VisaMasterCardDiscoverAmerican ExpresseCheck
(Opens in new window. Might need to hold down control/CTRL on your keyboard if you have a popup blocker..)


UPDATE! - 24Jan03
2.7.5 beta1 has cookie support added so these mod's are NOT needed. My updated version also includes the redir.php file but the official 2.7.5 beta1 does not.

UPDATE! - 15Jan03
I have added PHP session/cookie support to UebiMiau 2.7 & 2.7.2 which stores the sid in a cookie on your PC instead of using the one passed in the URL. This seems to fix the session stealing security bug in UebiMiau from the testing I've done & I welcome others to test it as well. Although the below redir fix is probably not needed I still recommend keeping/using it since it strips the referrer headers from links clicked on in an email thus providing added security.

PHP session/cookie method (stores sid in a cookie on your browser & ignores if passed in URL)

(I will be providing files for your download later. For now you are welcome to modify them yourself using these instructions if you are comfortable editing php files, otherwise please be patient waiting for my update..)

---/inc/inc.php---
Find the line that says:
if(empty($sid)) $sid = strtoupper("{".uniqid("")."-".uniqid("")."-".time()."}");
and change it to:
//if(empty($sid)) $sid = strtoupper("{".uniqid("")."-".uniqid("")."-".time()."}");
And add the following lines immediately below it:
session_start();
if (!isset($_SESSION['sid'])){
$sid = strtoupper("{".uniqid("")."-".uniqid("")."-".time()."}");
$_SESSION['sid']=$sid;
} else $sid=$_SESSION['sid'];

That is all that is required to add the PHP session/cookie support BUT you should also do the following in order to kill your session & delete your cookie on logout for added security!:

---/logout.php---
At the very end find the lines:
$SS->Kill();
header("Location: ./\r\n");

and change to:
$SS->Kill();
session_unset();
unset($_COOKIE[session_name()]);
unset($_GET[session_name()]);
session_destroy();
session_start();
session_destroy();
header("Location: ./\r\n");

Redir.php method (strips referrer from links when clicked on so sid is not passed)

This fix works by modifying all links in an email so they go to a local redir.php script which redirects the user to the URL without the Referer values which are a security risk because they contain the session id and could be used to access a user's mailbox.

First off, download the files at: refererfix.zip and follow these steps or else you can modify the files yourself following the instruction below.

Drop the readmsg.php & redir.php files into your UebiMiau folder or manually edit the files youself. This has not been thoroughly tested but seems to work with 2.7 & 2.7.2 so far.. If you do find any PLEASE contact me at ubmod AT neotech.net ASAP! Thanks! Use of this is at your own risk! Always check the official UebiMiau site at: http://www.uebimiau.sili.com.br/

To do it yourself:
---readmsg.php---
//Added on December 13, 2002 by William Warner as possible fix to session security issue
//posted at: http://www.markalway.com/security/webmail/webmail.html
//After the line: $body = $email["body"]; add these 2 lines:
//$my_server = $_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']);
//$body = eregi_replace("href=\"http://","href=\"http://$my_server/redir.php?http://",$body);

So it looks like:

$body = $email["body"];
$my_server = $_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']);
$body = eregi_replace("href=\"http://","href=\"http://$my_server/redir.php?http://",$body);

--redir.php--- (new file)
<meta http-equiv="refresh" content="0; url=<? echo $HTTP_SERVER_VARS['QUERY_STRING']?>">
If you are not redirected, copy & paste the URL: <? echo $HTTP_SERVER_VARS['QUERY_STRING']?> into the address line of a new browser window.


We are not directly involved with UebiMiau and this information is provided as-is and for your convenience. See their sites for possible copyright information and use limitations.

Comments on Neotech.net theme or other questions?
Email me at: ubmods AT neotech.net

For official UebiMiau info, files & support see: http://www.uebimiau.org

 

Ann Arbor, MI
Email: neoinfo AT neotech.net

                                                                                                   
Copyright: 2002-2007
Last revised: April 30, 2007
neoname contact
neoname