0004626: SOGo server accepts changed From address in send post action - SOGo

ID	Project	Category	View Status	Date Submitted	Last Update

0004626	SOGo	Web Mail	public	2018-12-20 11:16	2018-12-20 11:16

Reporter	ASolana	Assigned To
Priority	normal	Severity	major	Reproducibility	always
Status	new	Resolution	open
Platform	[Server] Linux	OS	Ubuntu	OS Version	16.04 LTS
Product Version	4.0.4

Summary	0004626: SOGo server accepts changed From address in send post action
Description	If SOGO POST send message action is intercepted and mail from address is changed SOGo let this message to be sent. SOGo would have to detect that mail from address doesn't belong to logged user and then stop message sending.
Steps To Reproduce	UserA enters in SOGo webmail UserA create new message in order to send to a private list "MailistX" created by UserB. Press the send button which creates a send POST request. This POST is intercepted with Burp, and the MAIL FROM is changed to UserB as shown in the attached screenshot (1.mailfrom_before.post.png). The mail is sent and all the members of the list receive the email without any problem. I've attached screen captures (burp example and a sent message example after message being "changed").
Tags	No tags attached.

Date Modified	Username	Field	Change
2018-12-20 11:16	ASolana	New Issue
2018-12-20 11:16	ASolana	File Added: screen.capture.post.send.zip

ASolana 2018-12-20 11:16 reporter	screen.capture.post.send.zip (57,629 bytes)