Menu

11 May 2011

Please check, is it true ? -- "CRITICAL ISSUE/SECURITY FLAW with Google Apps"

I got this mail from some source.. may someone check it ??

----Steps to reproduce the issue------

1. Create an announcement group in the Google Apps (My university is using the education edition). 

Let the group name be testgroup and the group email id - test.group@sample.edu

2. Add some email ids to the group.

3. Add a email id as the owner of the group say email id - group.owner@sapmle.edu.

4. Use a "fake mailer service". In the "send from" field :- group.owner@sample.edu; "send-to" field:- test.group@sample.edu.

5. The mail will be sent to all the group members of testgroup.

6. The email will also appear in the Sent Items of the email id - group.owner@sample.edu


PS: I have not tested it with a "normal" PHP(or other) mail script, but with a fake mailer service available online.

This should be fixed at the earliest and just email based validation for the group owner (or others that have permissions to post/mail)

 for checking the permission should not be the ONLY (as others validation fail in this context) validation.

I would be happy to be contacted if some more information is required. And also to be notified when this is fixed.

/-----------------------------------------/



Mayank Gupta.


By- Narendra Sisodiya

No comments: