#94 security hole squirrelmail mails real userid


When sending composed mail, Squirrelmail 1.4.2
generates a "Received" line which contains a valid
login id and may contain a valid internal network
address for the system upon which it is run. Such
information is useful to hackers and should not
generally be made public.

Possible solution is to modify code in
Deliver.class.php at or about line 260 to remove
generation of the "Received" line associated with the
"SquirrelMail authenticated user". Note that the MTA
will generate a separate "Received" line indicating
reception of the mail from SquirrelMail (using the less
sensitive userid "apache" and the MTA's translation of
its hostname); hence the SquirrelMail-generated
"Received" line is redundant.


<< < 1 2 3 > >> (Page 2 of 3)
  • Douglas Campbell

    • assigned_to: centaurix --> nobody
    • status: open-accepted --> open
  • Douglas Campbell

    Logged In: YES

    Sounds good to me. I've downloaded your diff, will apply
    it, and observe what happens.

  • Erin Schnabel

    Erin Schnabel - 2004-03-28
    • assigned_to: nobody --> ebullient
  • Erin Schnabel

    Erin Schnabel - 2004-03-28
    • status: open --> open-fixed
  • Marc Groot Koerkamp

    • priority: 5 --> 1
  • Tomas Kuliavas

    Tomas Kuliavas - 2005-02-04
    • labels: 102905 -->
  • Tomas Kuliavas

    Tomas Kuliavas - 2005-02-21

    Logged In: YES


    onetimepadencrypt function can be used to encrypt userid.
    only passphrase is used instead of one time pad.

  • Tomas Kuliavas

    Tomas Kuliavas - 2005-05-11

    Logged In: YES

    Patch for 1.5.1cvs attached. Will write patch for stable
    version tomorrow.

    If you want to keep $skip_SM_header option, then mark it as
    unacceptable for stable version and use only
    hide_auth_header.diff for stable. $skip_SM_header=true is
    too dangerous to novice admins. Only mad people keep loaded
    guns next to children.

  • Tomas Kuliavas

    Tomas Kuliavas - 2005-05-11
    • assigned_to: ebullient --> tokul
<< < 1 2 3 > >> (Page 2 of 3)

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks