SOGo | BTS

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0004445SOGoWeb Generalpublic2018-04-12 05:012018-04-12 08:27
ReporterAltibox 
Assigned To 
PrioritynormalSeverityminorReproducibilityalways
StatusnewResolutionopen 
Platform[Server] LinuxOSRHEL/CentOSOS Version6
Product Version2.3.23 
Target VersionFixed in Version 
Summary0004445: Links leak full email of customer in referer
DescriptionThis issue should be considered in the context of GDPR compliance.

Our SOGo installation is leaking information to third parties when users click links they have received by email. The URL for the main window leaks full email address.

Main window URL in our lab environment.
 * https://webmail.snartibox.no/SOGo/so/testkunde22@lyse.net/Mail/view [^]

Popup window URL in our lab environment
 * https://webmail.snartibox.no/SOGo/so/testkunde22@lyse.net/Mail/0/folderINBOX/4/popupview [^]


We have not found any references in the documentation or information on the wiki as to how we can change the URLs SOGo generates so that they do not include the username or email address of logged in users.

How can we get SOGo to not set email address or username its URLs? Change to SOGo code? Change SOGo config? Change httpd / nginx config?
Steps To Reproduce1) Send email with link to user of SOGo
2) User clicks link
3) URL that includes username (in our case email address) is set as referer
Additional InformationThis is what we get in our Apache logs when we test this in our lab environment.

# link clicked in main window
192.168.165.175 - - [12/Apr/2018:10:40:31 +0200] "GET / HTTP/1.1" 302 256 "https://webmail.snartibox.no/SOGo/so/testkunde22@lyse.net/Mail/view" [^] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36"

# link clicked in separate window
192.168.165.175 - - [12/Apr/2018:10:34:44 +0200] "GET / HTTP/1.1" 302 256 "https://webmail.snartibox.no/SOGo/so/testkunde22@lyse.net/Mail/0/folderINBOX/5/popupview" [^] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36"

For reference these are the equivalent URLs when I am logged into my gmail account.
 * main UI: https://mail.google.com/mail/u/0/#inbox [^]
 * looking at a single email: https://mail.google.com/mail/u/0/#inbox/162b579bb83b57da [^]
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
User avatar (0012831)
ludovic (administrator)
2018-04-12 08:27

It's not possible in SOGo to change this - ie., it'll always either display an email address or username in the URL.

- Issue History
Date Modified Username Field Change
2018-04-12 05:01 Altibox New Issue
2018-04-12 08:27 ludovic Note Added: 0012831


Copyright © 2000 - 2018 MantisBT Team
Powered by Mantis Bugtracker