[Bug 268048] New: All identities try to send via default SMTP server; credentials disclosure!!!
Szczepan Hołyszewski
rulatir at wp.pl
Wed Mar 9 11:48:41 GMT 2011
https://bugs.kde.org/show_bug.cgi?id=268048
Summary: All identities try to send via default SMTP server;
credentials disclosure!!!
Product: kmail
Version: 1.13.6
Platform: Archlinux Packages
OS/Version: Linux
Status: UNCONFIRMED
Severity: major
Priority: NOR
Component: sending
AssignedTo: kdepim-bugs at kde.org
ReportedBy: rulatir at wp.pl
Version: 1.13.6 (using KDE 4.6.0)
OS: Linux
(Reason for major severity: security hole, credentials disclosed to wrong
party)
When sending a message using an identity that uses a SMTP account other than
the default, kmail connects to the default SMTP server instead, but tries to
authenticate with username and password defined in the non-default SMTP account
selected for the identity. This has two effects:
- email is not sent because SMTP authentication fails
- identity's SMTP account credentials are disclosed to the default SMTP server
Reproducible: Always
Steps to Reproduce:
1. Set up two SMTP accounts on different servers, let's call them a and b.
2. Set a as the default SMTP account.
3. Set up two identities, let's call them A and B.
4. Assign account a as sending account for identity A; assign account b as
sending account for identity B.
5. Try sending mail using identity B.
Actual Results:
Authentication failure and password disclosure because KMail uses credentials
from account b but sends them to account a's SMTP server.
Expected Results:
Account b's server should be used.
OS: Linux (i686) release 2.6.37-ARCH
Compiler: gcc
--
Configure bugmail: https://bugs.kde.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the Kdepim-bugs
mailing list