[Bug 340355] [NEW] Kmail send Message Disposition Notifications without any Requirements

Jörg Frings-Fürst jff at jff-webhosting.net
Tue Mar 10 07:18:10 UTC 2009 

*** This bug is a security vulnerability ***

Public security bug reported:

kmail 1.9.10 (KDE3.5.10)

I found this message in my kmail send-folder:

From: "=?utf-8?q?J=C3=B6rg?= =?utf-8?q?_Frings-F=C3=BCrst?=" <jff at jff-software.de>
Organization: JFF-Software
X-KMail-Identity: 214509508
X-KMail-Fcc: .1917627007.directory/.INBOX.directory/Sent
To: "Wer kennt wen?" <noreply at wer-kennt-wen.de>
Subject: Message Disposition Notification
Date: Tue, 10 Mar 2009 07:48:10 +0100
User-Agent: KMail/1.9.10
MIME-Version: 1.0
Content-Type: Multipart/report;
  boundary="Boundary-00=_q0gtJN+YygTmQ2K";
  report-type="disposition-notification"
In-Reply-To: <E1LgvT9-0001LW-0R at wkw-fra67>
References: <E1LgvT9-0001LW-0R at wkw-fra67>
Message-Id: <200903100748.10760.jff at jff-software.de>
Status: RO
X-Status: RQC
X-KMail-EncryptionState: N
X-KMail-SignatureState: N
X-KMail-MDN-Sent:  
X-Length: 1530
X-UID: 1

--Boundary-00=_q0gtJN+YygTmQ2K
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Die am 10.03.2009 07:29 an JFF at JFF-Software.de mit dem Betreff "Uwe hat Dic=
h gefunden!" gesendete Nachricht wurde ungesehen gel=C3=B6scht. Dies ist al=
lerdings keine Garantie daf=C3=BCr, dass die Nachricht nicht wiederhergeste=
llt und sp=C3=A4ter gelesen wird.
--Boundary-00=_q0gtJN+YygTmQ2K
Content-Type: Message/disposition-notification
Content-Transfer-Encoding: 7bit


The Header from Original-Mail:

eturn-Path: <noreply at wer-kennt-wen.de>
Received: from murder ([unix socket])
	 (authenticated user=jff bits=0)
	 by mars (Cyrus v2.2.13) with LMTPA;
	 Tue, 10 Mar 2009 07:34:50 +0100
X-Sieve: CMU Sieve 2.2
Received: from mars.jff-webhosting.net (localhost [127.0.0.1])
	by mars.jff-webhosting.loc (Postfix) with ESMTP id 70D667009E96
	for <jff at localhost>; Tue, 10 Mar 2009 07:34:50 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin
	3.2.5-rules_by_jff_software.de_v.2.0.3_2008_11_09 (2008-06-10) on
	s15320009.onlinehome-server.info
X-Spam-Level: 
X-Spam-Status: No, score=0.5 required=5.0 test=AWL,HTML_MESSAGE,
	MIME_QP_LONG_LINE,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=no
X-Original-To: JFF at JFF-Software.de
Delivered-To: web5_jff at s15320009.onlinehome-server.info
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=85.10.202.199; helo=mailx5.wer-kennt-wen.de; envelope-from=noreply at wer-kennt-wen.de; receiver=jff at jff-software.de 
X-DKIM: Sendmail DKIM Filter v2.8.1 s15320009.onlinehome-server.info 9FACC1400BDB
Received: from birgit-zouaghi.de
	by mars.jff-webhosting.net with POP3 (fetchmail-6.3.5 polling birgit-zouaghi.de account web5_jff)
	for <jff at localhost> (single-drop); Tue, 10 Mar 2009 07:34:50 +0100 (CET)
Received: from mailx5.wer-kennt-wen.de (mailx5.wer-kennt-wen.de [85.10.202.199])
	by s15320009.onlinehome-server.info (Postfix) with ESMTP id 9FACC1400BDB
	for <JFF at JFF-Software.de>; Tue, 10 Mar 2009 07:29:45 +0100 (CET)
Received: from wkw-fra67 (unknown [217.118.171.77])
	by mailx5.wer-kennt-wen.de (Postfix) with ESMTP id 7E0A52DC0339
	for <JFF at JFF-Software.de>; Tue, 10 Mar 2009 07:29:44 +0100 (CET)
Received: from nobody by wkw-fra67 with local (Exim 4.63)
	(envelope-from <noreply at wer-kennt-wen.de>)
	id 1LgvT9-0001LW-0R
	for JFF at JFF-Software.de; Tue, 10 Mar 2009 07:29:39 +0100
To: JFF at JFF-Software.de
Subject: Uwe hat Dich gefunden!
From: Wer kennt wen? <noreply at wer-kennt-wen.de>
Date: Tue, 10 Mar 2009 07:29:39 +0100
X-Security: message sanitized on s15320009
	See http://www.impsec.org/email-tools/sanitizer-intro.html
	for details. $Revision: 1.151 $Date: 2006-01-20 07:29:24-08 
X-Security: The postmaster has not enabled quarantine of poisoned messages.
Content-Type: multipart/alternative;
  charset="iso-8859-1";
  boundary="=_0a9092b06f2b57e6b9a338e2f34a04d9"
MIME-Version: 1.0
Message-Id: <E1LgvT9-0001LW-0R at wkw-fra67>
X-Virus-Status: No
X-Virus-Checker-Version: clamassassin 1.2.4 with clamscan / ClamAV 0.94.2/9083/Tue Mar 10 06:20:57 2009
X-Length: 8971
X-UID: 2
X-KMail-Filtered: 440312
Status: RO
X-Status: ORC
X-KMail-EncryptionState:  
X-KMail-SignatureState:  
X-KMail-MDN-Sent:  


--=_0a9092b06f2b57e6b9a338e2f34a04d9
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


In Setup is MDN send only after Questions markt

** Affects: kdepim (Ubuntu)
     Importance: Undecided
         Status: New

** Visibility changed to: Public

-- 
Kmail send Message Disposition Notifications without any Requirements
https://bugs.launchpad.net/bugs/340355
You received this bug notification because you are a member of Kubuntu
Bugs, which is subscribed to kdepim in ubuntu.

More information about the kubuntu-bugs mailing list