[CentOS] SquirrelMail Sending Under Wrong Username
webmaster at ew3d.com
Thu Jan 22 15:07:03 UTC 2009
CentOS team... as is already bug reported and marked solved... as we
await the upstream repair for this.
It was reported that this was happening on CentOS 5. You likely already
know, but it also happens on CentOS 4.
For those unaware. It seems that SquirrelMail has an issue which allows
mail to be sent out from one user on the system and it uses the from
address of another user on the system. Apparently, both users need to be
logged into SM at the same time.
My client reported that when he sent the affected message, he received a
connection lost notice. He logged in again, stated that the email was in
fact sent. The recipient of that email asked what was up with the odd
from address. Looking at the headers from that message, they do in fact
show adifferentusername at thisparticularservername.com.
This is about the most embarrassing thing that's ever happened with my
servers. Obviously the affected user is not feeling very secure. It does
invite the recipient to reply to the wrong address which could be bad on
so many levels (imagine having a few local law firms hosted on the same
server?). I view this as a horrid security issue. If maybe the CentOS
team might be so kind as to push the SquirrelMail update to the front
when it's ready, that would be greatly appreciated.
More information about the CentOS