[horde] service/resetpassword.php
Andreas Schulze
sca at andreasschulze.de
Wed May 15 19:37:11 UTC 2013
Hello,
horde-5.1.0-beta3:
when a user request a passwordreset horde send a message with suspect header fields.
Subject, From and To headerfield start with lowercase, which is uncommon and result in
spamassassin points.
Patch attached.
More critial: the message is send with the senderaddress set to the users address.
Consider a user requesting a password reset with a @gmx.net address.
The message will be send to gmx.net with a senderaddress gmx.net. That violates the SPF record gmx provide
and enforce. The message will at least be placed in a spamfolder or rejected at all.
I suggest an enhancement where the hordeadmin may specify a dedicated senderaddess for password reset messages.
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: service_resetpassword.patch
Type: text/x-patch
Size: 1257 bytes
Desc: not available
URL: <http://lists.horde.org/archives/horde/attachments/20130515/1c6450b8/attachment-0001.bin>
More information about the horde
mailing list