1. Forum
  2. FidoNet
  3. MBSE

  • Another fix regarding reading/listing prvt. msgs.

    From Niels Haedecke@2:240/8002 to Andrew Leary on Sat Dec 5 17:13:58 2020
    Hi Andrew,

    One of my users has found and reported to me another issue with regards to reading / listing private messages. While the fix in commit [942e85] works for local, private echos, it does not take into account the possibillity of two users having the same name (e.g. "Tom Smith") but different AKAs. Since the fix
    in [942e85] does not check the From / To addresses this may lead to the possibility of a user"Tom Smith@1:2/3" reading and being able to list messages for "Tom Smith@3:4/5".

    I've already fixed the if (..) statments in mail.c (lines 1116, 1258 and 1909) and will provide a proper pull request in the next few days. I just wanted to inform you that there is still a security issue and that there is work being done to fix it.

    Kind regards,
    Niels

    Greetings, Niels Haedecke

    --- MBSE BBS v1.0.7.20 (GNU/Linux-x86_64)
    * Origin: Wintermute BBS - Duesseldorf, Germany (2:240/8002)
  • From Niels Haedecke@2:240/8002 to Andrew Leary on Sun Dec 6 10:19:22 2020
    Hello Andrew,


    Andrew Leary wrote to Niels Haedecke:

    This check should only be applied in NetMail areas. EchoMail areas, by definition, do not specify a destination address, but only a to name.

    Not to worry, I've taken care of that. I'll do some more tests today and then get the pull request out. Thank you for you very quick reply!

    Kind regards,
    Niels


    Greetings, Niels Haedecke

    --- MBSE BBS v1.0.7.20 (GNU/Linux-x86_64)
    * Origin: Wintermute BBS - Duesseldorf, Germany (2:240/8002)