• Another fix regarding reading/listing prvt. msgs.

    From Niels Haedecke@2:240/8002 to Andrew Leary on Sat Dec 5 17:13:59 2020
    Hi Andrew,

    One of my users has found and reported to me another issue with regards to reading / listing private messages. While the fix in commit [942e85] works for local, private echos, it does not take into account the possibillity of two users having the same name (e.g. "Tom Smith") but different AKAs. Since the fix
    in [942e85] does not check the From / To addresses this may lead to the possibility of a user"Tom Smith@1:2/3" reading and being able to list messages for "Tom Smith@3:4/5".

    I've already fixed the if (..) statments in mail.c (lines 1116, 1258 and 1909) and will provide a proper pull request in the next few days. I just wanted to inform you that there is still a security issue and that there is work being done to fix it.

    Kind regards,
    Niels

    Greetings, Niels Haedecke

    --- MBSE BBS v1.0.7.20 (GNU/Linux-x86_64)
    * Origin: Wintermute BBS - Duesseldorf, Germany (2:240/8002)
  • From Andrew Leary@1:320/219 to Niels Haedecke on Sat Dec 5 21:31:08 2020
    Hello Niels!

    05 Dec 20 17:13, you wrote to me:

    Hi Andrew,

    One of my users has found and reported to me another issue with
    regards to reading / listing private messages. While the fix in commit [942e85] works for local, private echos, it does not take into account
    the possibillity of two users having the same name (e.g. "Tom Smith")
    but different AKAs. Since the fix in [942e85] does not check the From
    / To addresses this may lead to the possibility of a user"Tom
    Smith@1:2/3" reading and being able to list messages for "Tom Smith@3:4/5".

    This check should only be applied in NetMail areas. EchoMail areas, by definition, do not specify a destination address, but only a to name. There is no way, using standard FTN technology, to address an EchoMail message, even one flagged as private, to only Tom Smith@3:4/5 but not Tom Smith@1:2/3. The message would be sent to all nodes connected to the echo, and any Tom Smith would be able to read them on any node in the echo.

    I've already fixed the if (..) statments in mail.c (lines 1116, 1258
    and 1909) and will provide a proper pull request in the next few days.
    I just wanted to inform you that there is still a security issue and
    that there is work being done to fix it.

    I will certainly look at the pull request when you send it, and evaluate accordingly.

    Andrew

    --- GoldED+/LNX 1.1.5-b20180707
    * Origin: Phoenix BBS * phoenix.bnbbbs.net (1:320/219)
  • From Niels Haedecke@2:240/8002 to Andrew Leary on Sun Dec 6 10:19:23 2020
    Hello Andrew,


    Andrew Leary wrote to Niels Haedecke:

    This check should only be applied in NetMail areas. EchoMail areas, by definition, do not specify a destination address, but only a to name.

    Not to worry, I've taken care of that. I'll do some more tests today and then get the pull request out. Thank you for you very quick reply!

    Kind regards,
    Niels


    Greetings, Niels Haedecke

    --- MBSE BBS v1.0.7.20 (GNU/Linux-x86_64)
    * Origin: Wintermute BBS - Duesseldorf, Germany (2:240/8002)