Uploaded image for project: 'James Server'
  1. James Server
  2. JAMES-2240

Use of MD5 for checksum to index email body

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: master
    • Fix Version/s: None
    • Component/s: James Core
    • Labels:
      None

      Description

      In the MBoxMailRepository class, the generateKeyValue() function uses MD5 to compute a key, which is supposed to be unique in order to then index every single email body.

      However, MD5 is vulnerable to lots of collisions and an attacker could manage to replace (understand "overwrite") an existing indexed email body by another one, leading to many potential abuses.

      A more cryptographically secure hash function such as SHA-256 or SHA-512 should be used instead.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              thithib Thibaut SAUTEREAU
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: