0006047: CRITICAL SECURITY error with 5.11.1 and parameter SOGoForbidUnknownDomainsAuth - SOGo

ID	Project	Category	View Status	Date Submitted	Last Update

0006047	SOGo	Backend General	public	2024-10-11 12:16	2024-10-16 07:20

Reporter	qhivert	Assigned To	qhivert
Priority	immediate	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	5.11.1
Fixed in Version	5.11.2

Summary	0006047: CRITICAL SECURITY error with 5.11.1 and parameter SOGoForbidUnknownDomainsAuth
Description	The 5.11.1 introduce a new parameter SOGoForbidUnknownDomainsAuth, by default set at NO. DO NOT SET THIS PARAMETER TO YES as it introduces a critical security error allowing your user to authenticate to the webmail with any password. The mail with not works as the imap is not the correct one. But calendars and contacts will work. Letting this parameter unset, or set at NO is OK. Alinto's working on a fix and new release as soon as possible.
Tags	No tags attached.

qhivert 2024-10-11 15:50 administrator ~0017913	A first fix has been made and will be available in the next nightly 20241012. I'll wait for the feedback of the sogo user that reported this before making a release.

qhivert 2024-10-16 07:20 administrator ~0017914	5.11.2 with the patch is released today

Date Modified	Username	Field	Change
2024-10-11 12:16	qhivert	New Issue
2024-10-11 12:16	qhivert	Status	new => assigned
2024-10-11 12:16	qhivert	Assigned To	=> qhivert
2024-10-11 15:50	qhivert	Note Added: 0017913
2024-10-16 07:20	qhivert	Status	assigned => closed
2024-10-16 07:20	qhivert	Resolution	open => fixed
2024-10-16 07:20	qhivert	Fixed in Version	=> 5.11.2
2024-10-16 07:20	qhivert	Note Added: 0017914