Wrong email addresses! I can see other people's email!

Issue #1036 closed

Michi created an issue 2019-12-17

Hello,

‌

I´m creating a new piler for our company, because we want to migrate to a new.

But now I have a issue.

Using single sign on I am registered correctly, but I can see mails of other employees, although i am not assigned as a auditor or administrator.

All in All: I can see other people's email !

‌

I am using:

piler 1.3.6
ubuntuu 18.04
apache2

‌

what can i do to fix this ?

Many thanks in advance .

issue.png

Comments (17)

Michi reporter
- edited description
- 2019-12-17T12:13:01+00:00
Michi reporter
- edited description
- 2019-12-17T12:14:49+00:00
Michi reporter
- edited description
- 2019-12-17T12:19:49+00:00
Janos SUTO repo owner
Check if the assigned email addresses are actually fine. If so, then show me the sphinx query when you click on the search button.
- 2019-12-17T14:07:25+00:00
Michi reporter
@Janos SUTO thanks for your quick answer.

Yes the email addresses are fine, but some of them in the query are not mine.

Only the one, which contains firstname1xname1 or FLname1 are mine

‌

sphinx query:

Dec 17 15:29:37 uaetz64 piler-webui[28023]: sphinx query: 'SELECT id FROM main1,dailydelta1,delta1 WHERE MATCH(' (@from firstname1Xname1Xdomain1Xcom| fristname2Xname2Xdomain1Xcom| FLname1Xdomain2Xdomain2Xcom| FLname1Xdomain1Xcom| firstname2Xname2Xdomain2Xdomain2Xcom | @to fristname1Xname1Xdomain1Xcom| fristname2Xname2Xdomain1Xcom| FLname1Xdomain2Xdomain2Xcom| FLname1Xdomain1Xcom| fristname2Xname2Xdomain2Xdomain2Xcom ) ') ORDER BY `sent` DESC LIMIT 0,20 OPTION max_matches=1000' in 0.02 s, 20 hits, 29421 total found

‌

‌

‌
- 2019-12-17T14:48:36+00:00
Janos SUTO repo owner
OK, now click on an email you shouldn’t see. On the preview pane hover over the download link. You should see an url ending with the message serial id, a number.

Then take this number (123 in this example), and select the following in the mysql piler database ():

select * from rcpt where id=123;

And verify that none of the emails you mentioned above occur in the result. In that case you can really see a message not meant for you.
- 2019-12-18T14:46:45+00:00
Michi reporter
This mail was shown in the web front-end, but didn´t go to me or come from me.

‌
- 2019-12-18T15:06:28+00:00
Janos SUTO repo owner
OK, we need to dig further. Set $config['LOG_LEVEL'] = DEBUG; in config-site.php, then click on the message again. In the meantime check the logged sql queries in /var/log/mail.log, and look for a line with sql=SELECT id FROM v_messages WHERE id=? I’d like to see the results.
- 2019-12-18T18:18:34+00:00
Michi reporter
loglevel has been set to debug.
- here are the results with the line you requested:
sql=SELECT id FROM v_messages WHERE id=? AND ( `from` IN (?,?,?,?,?) OR `to` IN (?,?,?,?,?) ), arr=8089313;wrongname@domain1.com;rightname1@domain1.com;rightname2@domain2.com;rightname2@domain1.com;rightname1@domain2.com;wrongname@domain1.com;rightname1@domain1.com;rightname2@domain2.com;rightname2@domain1.com;rightname1@domain2.com

‌

I only have one additional wrong mapping (wrongname), my colleague has several wrong mappings and can see mails from many other people.

The piler settings have been copied from our production machine where this issue does not occur.

differences between machines:
- production is ubuntu 16.04, new is 18.04
- production has piler (1.3.4) compiled from source, new machine has debian/Ubuntu binaries (1.3.6)
‌
- 2019-12-19T12:27:50+00:00
Michi reporter
- edited description
- 2019-12-19T12:28:52+00:00
Janos SUTO repo owner
OK, then we are one step closer. We should figure out why any wrong address appears among your associated email addresses.

Now logout, then login, and check the ldap query in mail.log
- 2019-12-19T14:52:28+00:00
Michi reporter
if i logout:

Dec 19 16:01:53 uaetz64 piler-webui[816]: sql=INSERT INTO audit (ts, email, domain, action, ipaddr, meta_id, description) VALUES(?,?,?,?,?,?,?), arr=1576767713;firstname1.name1@domain1.com;domain1.com;4;10.29.41.23;;

firstname1 and name1 is me

if i log back in:

‌

Notice firstname1, name1 and FLname1 is me.

Notice that, if “notme” is bold, it´s the one who´s mails i can see.

Dec 19 16:01:59 uaetz64 piler-webui[816]: checking entry: CN=notme noteme,OU=Normal-Users,OU=Users,OU=AU,OU=_Organisation,DC=xyxc,DC=biz

Dec 19 16:01:59 uaetz64 piler-webui[816]: checking entry: CN=notme notme,OU=Normal-Users,OU=Users,OU=AU,OU=_Organisation,DC=xyxc,DC=biz

Dec 19 16:01:59 uaetz64 piler-webui[816]: checking entry: CN=notme notme,OU=Normal-Users,OU=Users,OU=AU,OU=_Organisation,DC=xyxc,DC=biz

‌

….. (there are many more users, who are not me) ..

‌

Dec 19 16:01:59 uaetz64 piler-webui[816]: checking entry: CN=notme notme,OU=Normal-Users,OU=Users,OU=AU,OU=_Organisation,DC=xyxc,DC=biz

‌

Dec 19 16:01:59 uaetz64 piler-webui[816]: checking entry: CN=notme notme,OU=Normal-Users,OU=Users,OU=AU,OU=_Organisation,DC=xyxc,DC=biz

The bold one above is the one, whos emails i can see.

‌

‌

Dec 19 16:01:59 uaetz64 piler-webui[816]: checking ldap entry dn: CN=name1 firstname1,OU=Normal-Users,OU=Users,OU=AU,OU=_Organisation,DC=xyxc,DC=biz, cn: name1 firstname1

Dec 19 16:01:59 uaetz64 piler-webui[816]: checking entry #2: firstname1.name1@domain1.com

Dec 19 16:01:59 uaetz64 piler-webui[816]: checking entry: smtp:FLname1@domain2.com

Dec 19 16:01:59 uaetz64 piler-webui[816]: checking entry: smtp:FLname1@domain1.com

Dec 19 16:01:59 uaetz64 piler-webui[816]: checking entry: smtp:firstname1.name1@domain2.com

Dec 19 16:01:59 uaetz64 piler-webui[816]: checking entry: SMTP:firstname1.name1@domain1.com

Dec 19 16:01:59 uaetz64 piler-webui[816]: sql=SELECT g.email FROM `group_email` g WHERE g.id IN (SELECT u.id FROM `group_user` u WHERE u.email IN (?,?,?,?,?)), arr=notme.notme@domain1.com;firstname1.name1@domain1.com;FLname1@domain2.com;FLname1@domain1.com;firstname1.name1@domain2.com

Dec 19 16:01:59 uaetz64 piler-webui[816]: sql=SELECT domain FROM domain WHERE mapped IN (SELECT mapped FROM domain WHERE domain=?), arr=domain1.com

Dec 19 16:01:59 uaetz64 piler-webui[816]: sql=SELECT uid FROM email WHERE email=?, arr=firstname1.name1@domain1.com

Dec 19 16:01:59 uaetz64 piler-webui[816]: sql=SELECT * FROM user_settings WHERE username=?, arr=firstname1.name1@domain1.com

Dec 19 16:01:59 uaetz64 piler-webui[816]: sql=INSERT INTO audit (ts, email, domain, action, ipaddr, meta_id, description) VALUES(?,?,?,?,?,?,?), arr=1576767719;firstname1.name1@domain1.com;domain1.com;2;10.29.41.23;;successful auth against LDAP

Dec 19 16:01:59 uaetz64 piler-webui[817]: sql=SELECT * FROM customer_settings WHERE domain=(SELECT mapped FROM domain WHERE domain=?), arr=domain1.com

Dec 19 16:01:59 uaetz64 piler-webui[817]: sql=SELECT `id`, `name` FROM `folder` WHERE id IN (), arr=

Dec 19 16:01:59 uaetz64 piler-webui[817]: sql=SELECT folder_user.id AS id, folder.name AS name FROM folder_user, folder WHERE uid=? AND folder_user.id=folder.id, arr=12

‌

‌
- 2019-12-19T15:29:32+00:00
Michi reporter
I copied the content of the www dir of my production server over to the new server preserving the config files on the new one.

The error did not appear anymore.

‌

It seems to me as if the mistake is in the www files of the piler deb package.

‌

Is it safe to go on using the www files from the 1.3.4 source package?
- 2019-12-20T09:03:30+00:00
Janos SUTO repo owner
Well, yes, it’s probably safe, go ahead if it works for you.

However, I don’t think the problem is in the www dir content from the new version of piler, because the sso check shouldn’t have changed (though I can be wrong). To prove me wrong be sure to compare model/user/auth.php from both versions. That’s the file responsible for the sso authentication.

Also I think you might have redacted a bit too much. For sso logins there should be a logged line containing ‘samaccountname=’, and I suspect that the gui got funky results from the ldap server.
- 2019-12-20T10:51:40+00:00
Michi reporter
So I compared the two auth.php files and there are many differences.

But actually I think the problem was in this line:

$query = $ldap->query(LDAP_BASE_DN, "(|(&(objectClass=user)(" . $ldap_mail_attr . "$username))(&(objectClass=group)(member=$username))(&(objectClass=group)(member=" . stripslashes($a['dn']) . ")))", array());

‌

because after I replaced (objectClass=group) (bold, italic) with (sAMAccountType=268435457) it is working.

‌

Thats the new line:

$query = $ldap->query(LDAP_BASE_DN, "(|(&(objectClass=user)(" . $ldap_mail_attr . "$username))(&(sAMAccountType=268435457)(member=$username))(&(sAMAccountType=268435457)(member=" . stripslashes($a['dn']) . ")))", array());

The new line was already used in the old piler and written by the colleage, who set it up.

I am working a AD ldap and think that the problem is maybe AD specific.
- 2019-12-20T12:46:38+00:00
Janos SUTO repo owner
Thanks for debugging it. In that case I’d suggest you to use the new gui with the fixed line.
- 2019-12-20T12:53:39+00:00
Michi reporter
- changed status to closed
I replaced (objectClass=group) (bold, italic) with (sAMAccountType=268435457) in auth.php
- 2019-12-20T12:58:16+00:00
Log in to comment

Assignee: –

Type: bug

Priority: critical

Status: closed

Votes: 3

Watchers: 4

Comments (17)

loglevel has been set to debug.

if i logout:

if i log back in:

Notice firstname1, name1 and FLname1 is me.

Notice that, if “notme” is bold, it´s the one who´s mails i can see.