One of my users has found and reported to me another issue with
regards to reading / listing private messages. While the fix in commit [942e85] works for local, private echos, it does not take into account
the possibillity of two users having the same name (e.g. "Tom Smith")
but different AKAs. Since the fix in [942e85] does not check the From
/ To addresses this may lead to the possibility of a user"Tom
Smith@1:2/3" reading and being able to list messages for "Tom Smith@3:4/5".
I've already fixed the if (..) statments in mail.c (lines 1116, 1258
and 1909) and will provide a proper pull request in the next few days.
I just wanted to inform you that there is still a security issue and
that there is work being done to fix it.
This check should only be applied in NetMail areas. EchoMail areas, by definition, do not specify a destination address, but only a to name.
|Location:||Riverside County, California|
|Nodes:||15 (0 / 15)|