On Tue, May 6, 2008 at 10:00 AM, Elizabeth Schwartz <betsy.schwartz@xxxxxxxxx> wrote: > We had a weird experience last week and the Helpdesk folks say it We have no relationship to anyone's help desk. You might need to contact whomever is your service provider. > isn't the first time. I apologize for having incomplete information > but I'm wondering if this rings any bells for anyone: > > Webmail server: Squirrelmail 1.4.7, Solaris 9, with imapproxy 1.4.6 1.4.7 is terribly old. It is full of known security exploits. It isn't really supported any more. > (CSW build). > Imap server: Solaris 10, Cyrus IMAP, and mailman 2.1.8 > (I know, it's all old, but it hasn't been particularly broken) But, unless used only on an internal LAN, including the messages that are sent to and fro, it is exposed to known security problems. It is trivial to upgrade unless you've customized it beyond recognition. > So, a customer started to compose an email to a mailman list. Her > message shows a Reply-to header from a previous message to that list, > so I think she used Reply-To and changed the Subject. Something > happened at this point - mailman crashed, or the browser hung, not > sure what. The user re-authenticated , reads her new mail, and starts > a reply to a private email containing confidential information. > Again, I am not 100% sure of the sequence, but I believe she had both > replies open at the same time. > > **BOTH** messages went to the mailing list. *Both* messages had > mailman reply-to headers showing that they were responses to an > earlier mailman message. The private email had the correct subject > from the private email, and the correct message body from the private > email , so I believe the customer when she says she replied to the > correct email. If she'd accidentally replied to the mailing list, the > message body wouldn't have the correctly quoted message body from the > previous email. > > Has anyone experienced anything like this? Because of the nature of > the private information that was released, I may be called on to > explain this and suggest a fix. "Don't compose two messages at once" > seems like overkill - a reasonable person might reasonably do that. Only thing I can think of is that either SM's message restore mechanism or quicksave (plugin) saved part of the message headers before some kind of browser crash... when she logged in again, it may have done something weird with filling in those headers, but in reality, I've never heard of this, and it should not be possible to only restore some parts of the message whilst leaving the others as is. Especially if you have an up-to-date SM installation. Without more details on how it all happened, there is nothing anyone can realistically suggest except to make sure your software is up to date. > Any thoughts welcome. > thanks Betsy > PS interrogating the customer is not an option here. > ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
