[CentOS] SquirrelMail Sending Under Wrong Username

John Hinton webmaster at ew3d.com
Thu Jan 22 15:07:03 UTC 2009


CentOS team... as is already bug reported and marked solved... as we 
await the upstream repair for this.

It was reported that this was happening on CentOS 5. You likely already 
know, but it also happens on CentOS 4.

For those unaware. It seems that SquirrelMail has an issue which allows 
mail to be sent out from one user on the system and it uses the from 
address of another user on the system. Apparently, both users need to be 
logged into SM at the same time.

My client reported that when he sent the affected message, he received a 
connection lost notice. He logged in again, stated that the email was in 
fact sent. The recipient of that email asked what was up with the odd 
from address. Looking at the headers from that message, they do in fact 
show adifferentusername at thisparticularservername.com.

This is about the most embarrassing thing that's ever happened with my 
servers. Obviously the affected user is not feeling very secure. It does 
invite the recipient to reply to the wrong address which could be bad on 
so many levels (imagine having a few local law firms hosted on the same 
server?). I view this as a horrid security issue. If maybe the CentOS 
team might be so kind as to push the SquirrelMail update to the front 
when it's ready, that would be greatly appreciated.

John Hinton


More information about the CentOS mailing list