[IMail Forum] Forging the sender in webmail

[Heimir Eidskrem]

What is it that I am missing?

We use Imail 8.22 with killerwebmail templates.
If you go into the users settings after you log into webmail, you can 
change the reply address and it shows up as the sending address.
This allows someone to forge the sender.  How can this be possible?
I must be missing the obvious.

Look at the headers:

From - Tue Feb 12 17:35:47 2008
X-Account-Key: account2
X-UIDL: 484444015
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                 
Received: from 12.48.36.9 with HTTP
by webserver sales.somedomain.com ($virtual150) ; Tue, 12 Feb 2008 17:27:44 CST
Date: Tue, 12 Feb 2008 17:27:45 -0600
Message-Id: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
From: "Wu" <[EMAIL PROTECTED]>
Reply-To: <[EMAIL PROTECTED]>
X-Sender: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
CC: <[EMAIL PROTECTED]>
Subject: This email was sent from [EMAIL PROTECTED]
X-Mailer: <IMail v8.22>
X-RCPT-TO: <[EMAIL PROTECTED]>
Status: U
X-UIDL: 484444015
X-IMail-ThreadID: 2b710000130c71dd
X-Antivirus: AVG for E-mail 7.5.516 [269.20.2/1272]

Heimeir,

I changed the reply to address as well as the last name inside the hostmaster 
account options.  I did this test earlier and it shows up as myself.

Eric 

________________________________________________________________
Sent via the WebMail system at sales.somedomain.com


By the way its the same way in 9.23
Here is the header from the demo system.

Received: from 192.168.12.222 [192.168.12.222] by webdemo.ipswitch.com 
with ESMTP
 (SMTPD-10.0) id A10501B4; Tue, 12 Feb 2008 18:51:33 -0500
To: <[EMAIL PROTECTED]>
Cc:
Date: Tue, 12 Feb 2008 23:51:33 GMT
Mime-Version: 1.0
From: "guest" <[EMAIL PROTECTED]>
Subject: test
Content-Type: multipart/mixed;
 boundary="------------Boundary-00=_GKGN6M7R0IPEIPHX2DRP"
Message-Id: <[EMAIL PROTECTED]>
X-RCPT-TO: <[EMAIL PROTECTED]>
Status:
X-UIDL: 502806177
X-IMail-ThreadID: 3105008d0000003b
        Print <javascript:window.print()>   Hide Envelope <javascript:void(0)>
From: 	guest  Add to Address Book 
<javascript:__doPostBack('ucPreviewMsg$lnkAddContact','')>    
*Save to the following Address Book:*  
To: 	[EMAIL PROTECTED] 
CC:

        


Date: 	Tuesday, February 12, 2008 6:51:33 PM 
Subject: 	test