|
|
| Reporter | David | Assigned To | | |
|---|
| Priority | normal | Severity | minor | Reproducibility | always |
|---|
| Status | new | Resolution | open | |
|---|
| Platform | [Server] Linux | OS | RHEL/CentOS | OS Version | 7 |
|---|
| Product Version | 5.12.6 | |
|---|
|
|
| Summary | 0006195: SOGoMailCustomFromEnabled = NO not enforced server-side |
|---|
| Description | The configuration option
SOGoMailCustomFromEnabled = NO
only disables the From field in the SOGo web UI It does not enforce any server-side validation on the /send endpoint. As a result, any authenticated user can bypass the restriction by directly POSTing to the draft send API with a modified from field in the JSON body, without needing any special tools beyond a browser's built-in DevTools. |
|---|
| Steps To Reproduce |
- Set SOGoMailCustomFromEnabled = NO in sogo.conf and restart SOGo
- Log in as any user via the web interface
- Compose an email and click Send — capture the POST request using browser DevTools (Network tab)
- Right-click the request → Copy as fetch
- Paste into browser Console, modify the from field in the body to any arbitrary address
- Execute — email is delivered with the spoofed From address, HTTP 200 returned
|
|---|
| Additional Information | When
SOGoMailCustomFromEnabled=NO
the server should validate that the submitted from value matches the authenticated user's address and reject the request if it does not.
Now users can impersonate other addresses, including potentially other users on the same domain. |
|---|
| Tags | No tags attached. |
|---|
|
|
