Re: [Evolution-hackers] a security issue with Evolution

[Jose Tavares <jat terra com br>]

On Sat, 2006-04-22 at 02:12 -0300, Jose Tavares wrote:
> Today I was at FISL (Forum Internacional Software Livre) accessing the
> net through the wifi network they were offering. It was an open wifi
> network with no crypto at all..
> 
> So, using Evolution I needed do disable the access of my email accounts
> whose pop/smtp does not offer a secure connection. Yes, there's a big
> provider here in Brazil that does not offer secure connection to its
> pop/smtp.
> 
> The problem is that I left enable just an account at gmail that is
> configured to make secure connections..
> 
> After that, I took an old email in my outbox that had been sent with the
> account from the unsecured provider and selected "Edit as new message".
> Then, I thought the From: field would have been changed automatically to
> my new configured default connection.
> 
> Guess what happened? I sent the email with the From: field from the
> unsecure provider and Evolution did established an unsecure conection to
> the unsecure provider and sent my plain password through the network
> even with the unsecure account marked as disabled in Evolution!!
> 
> []
> JA Tavares



I looked at the archives and saw this was discussed in Nov-Dec/2005 ..
Parthasarathi Susarla made a patch for evolution not to send mail from
disabled accounts.. This patch does not seem to be applied as nothing
stopped me from sending a mail from a disabled account..

I'm using v2.4.2.1 from Debian Unstable..

[]
JA Tavares