11 May 2011

Please check, is it true ? -- "CRITICAL ISSUE/SECURITY FLAW with Google Apps"

I got this mail from some source.. may someone check it ??

----Steps to reproduce the issue------

1. Create an announcement group in the Google Apps (My university is using the education edition). 

Let the group name be testgroup and the group email id -

2. Add some email ids to the group.

3. Add a email id as the owner of the group say email id -

4. Use a "fake mailer service". In the "send from" field :-; "send-to" field:-

5. The mail will be sent to all the group members of testgroup.

6. The email will also appear in the Sent Items of the email id -

PS: I have not tested it with a "normal" PHP(or other) mail script, but with a fake mailer service available online.

This should be fixed at the earliest and just email based validation for the group owner (or others that have permissions to post/mail)

 for checking the permission should not be the ONLY (as others validation fail in this context) validation.

I would be happy to be contacted if some more information is required. And also to be notified when this is fixed.


Mayank Gupta.

By- Narendra Sisodiya

No comments: