Akelos Action Mailer, a component for composing, sending and receiving messages included in the Akelos Framework has a serious security bug wich under certain circumstances propagates information about your mailer objects on the email headers.
You can reproduce this bug easily if you use the Admin plugin and the PHP mail() delivery method. This headers the
Application-Name: Akelos Application
Http-Auth-Realm: Application Administration
Token-Key: e2e8771a-137b-c564-f116-df0edc3dd7dc
Do-Not-Reply-Email: do-not-reply@example.com
Allow-Sign-Up: 1
Controller: dashboard
Module: admin
Action: logout
This only affects the PHP Mail driver when setting mail fileds directly as Mailer attribute instances.
If you have in your application mailers
$this->recipients = $recipient;
$this->body = 'This is the body';
$this->subject = 'The subject';
$this->from = array('Akelos' => 'akelos@example.com');
your are advised to immediately update you application action mailer to the latest version in Akelos trunk http://svn.akelos.org/trunk/lib/AkActionMailer/
If you used the setter method in your applications like:
$this->set(array(
'recipients' => $recipient,
'body'=>'This is the body',
'subject' => 'The subject',
'from' => array('Akelos' => 'akelos@example.com')
));
you will not be affected by this issue.
The new Akelos release 1.0.1 is not affected by this issue.
1 to 1 of 1