Subj : Another fix regarding reading/listing prvt. msgs.
To   : Andrew Leary
From : Niels Haedecke
Date : Sat Dec 05 2020 17:13:59

Hi Andrew,

One of my users has found and reported to me another issue with regards to
reading / listing private messages. While the fix in commit [942e85] works for
local, private echos, it does not take into account the possibillity of two
users having the same name (e.g. "Tom Smith") but different AKAs. Since the 
fix
in [942e85] does not check the From / To addresses this may lead to the
possibility of a user"Tom Smith@1:2/3" reading and being able to list messages
for "Tom Smith@3:4/5".

I've already fixed the if (..) statments in mail.c (lines 1116, 1258 and 1909)
and will provide a proper pull request in the next few days. I just wanted to
inform you that there is still a security issue and that there is work being
done to fix it.

Kind regards,
Niels                                         

    Greetings, Niels Haedecke

--- MBSE BBS v1.0.7.20 (GNU/Linux-x86_64)
 * Origin: Wintermute BBS - Duesseldorf, Germany (2:240/8002)

.