View Issue Details

IDProjectCategoryView StatusLast Update
0004445SOGoWeb Generalpublic2018-04-12 12:27
ReporterAltibox Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Platform[Server] LinuxOSRHEL/CentOSOS Version6
Product Version2.3.23 
Summary0004445: Links leak full email of customer in referer
Description

This issue should be considered in the context of GDPR compliance.

Our SOGo installation is leaking information to third parties when users click links they have received by email. The URL for the main window leaks full email address.

Main window URL in our lab environment.

Popup window URL in our lab environment

We have not found any references in the documentation or information on the wiki as to how we can change the URLs SOGo generates so that they do not include the username or email address of logged in users.

How can we get SOGo to not set email address or username its URLs? Change to SOGo code? Change SOGo config? Change httpd / nginx config?

Steps To Reproduce

1) Send email with link to user of SOGo
2) User clicks link
3) URL that includes username (in our case email address) is set as referer

Additional Information

This is what we get in our Apache logs when we test this in our lab environment.

link clicked in main window

192.168.165.175 - - [12/Apr/2018:10:40:31 +0200] "GET / HTTP/1.1" 302 256 "https://webmail.snartibox.no/SOGo/so/testkunde22@lyse.net/Mail/view" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36"

link clicked in separate window

192.168.165.175 - - [12/Apr/2018:10:34:44 +0200] "GET / HTTP/1.1" 302 256 "https://webmail.snartibox.no/SOGo/so/testkunde22@lyse.net/Mail/0/folderINBOX/5/popupview" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36"

For reference these are the equivalent URLs when I am logged into my gmail account.

TagsNo tags attached.

Activities

ludovic

ludovic

2018-04-12 12:27

administrator   ~0012831

It's not possible in SOGo to change this - ie., it'll always either display an email address or username in the URL.

Issue History

Date Modified Username Field Change
2018-04-12 09:01 Altibox New Issue
2018-04-12 12:27 ludovic Note Added: 0012831