Akelos Framework v1 forum archive. This forum is no longer maintained. To report bugs please visit https://github.com/akelos/akelos/issues

    Akelos security announcement.

    Akelos Action Mailer, a component for composing, sending and receiving messages included in the Akelos Framework has a serious security bug wich under certain circumstances propagates information about your mailer objects on the email headers.

    You can reproduce this bug easily if you use the Admin plugin and the PHP mail() delivery method. This headers the

    Application-Name: Akelos Application
    Http-Auth-Realm: Application Administration
    Token-Key: e2e8771a-137b-c564-f116-df0edc3dd7dc
    Do-Not-Reply-Email: do-not-reply@example.com
    Allow-Sign-Up: 1
    Controller: dashboard
    Module: admin
    Action: logout

    This only affects the PHP Mail driver when setting mail fileds directly as Mailer attribute instances.

    If you have in your application mailers

    $this->recipients   = $recipient;
    $this->body         = 'This is the body';
    $this->subject      = 'The subject';
    $this->from         = array('Akelos' => 'akelos@example.com');

    your are advised to immediately update you application action mailer to the latest version in Akelos trunk http://svn.akelos.org/trunk/lib/AkActionMailer/

    If you used the setter method in your applications like:

    'recipients' => $recipient,
    'body'=>'This is the body',
    'subject' => 'The subject',
    'from' => array('Akelos' => 'akelos@example.com')

    you will not be affected by this issue.

    The new Akelos release 1.0.1 is not affected by this issue.