0004445: Links leak full email of customer in referer - SOGo | BTS

ID	Project	Category	View Status	Date Submitted	Last Update

0004445	SOGo	Web General	public	2018-04-12 09:01	2018-04-12 12:27

Reporter	Altibox	Assigned To
Priority	normal	Severity	minor	Reproducibility	always
Status	new	Resolution	open
Platform	[Server] Linux	OS	RHEL/CentOS	OS Version	6
Product Version	2.3.23

Summary	0004445: Links leak full email of customer in referer
Description	This issue should be considered in the context of GDPR compliance. Our SOGo installation is leaking information to third parties when users click links they have received by email. The URL for the main window leaks full email address. Main window URL in our lab environment. https://webmail.snartibox.no/SOGo/so/testkunde22@lyse.net/Mail/view Popup window URL in our lab environment https://webmail.snartibox.no/SOGo/so/testkunde22@lyse.net/Mail/0/folderINBOX/4/popupview We have not found any references in the documentation or information on the wiki as to how we can change the URLs SOGo generates so that they do not include the username or email address of logged in users. How can we get SOGo to not set email address or username its URLs? Change to SOGo code? Change SOGo config? Change httpd / nginx config?
Steps To Reproduce	1) Send email with link to user of SOGo 2) User clicks link 3) URL that includes username (in our case email address) is set as referer
Additional Information	This is what we get in our Apache logs when we test this in our lab environment. link clicked in main window 192.168.165.175 - - [12/Apr/2018:10:40:31 +0200] "GET / HTTP/1.1" 302 256 "https://webmail.snartibox.no/SOGo/so/testkunde22@lyse.net/Mail/view" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" link clicked in separate window 192.168.165.175 - - [12/Apr/2018:10:34:44 +0200] "GET / HTTP/1.1" 302 256 "https://webmail.snartibox.no/SOGo/so/testkunde22@lyse.net/Mail/0/folderINBOX/5/popupview" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" For reference these are the equivalent URLs when I am logged into my gmail account. main UI: https://mail.google.com/mail/u/0/#inbox looking at a single email: https://mail.google.com/mail/u/0/#inbox/162b579bb83b57da
Tags	No tags attached.

Date Modified	Username	Field	Change
2018-04-12 09:01	Altibox	New Issue
2018-04-12 12:27	ludovic	Note Added: 0012831