SOGo Webmail Insecure Direct Object Reference Vulnerability Allowing Email Impersonation

An Insecure Direct Object Reference (IDOR) vulnerability exists in SOGo Webmail versions prior to 5.6.0. This vulnerability allows an authenticated user to send emails on behalf of other users by manipulating a user-controlled identifier in the email-sending request. The server does not properly verify whether the user is authorized to use the specified sender identity, leading to unauthorized message delivery. This issue could result in impersonation, phishing, or unauthorized communication within the system.

Impact

Exploitation of this vulnerability allows for unauthorized email delivery as another user, potentially leading to impersonation or phishing.

Reproduction

To reproduce this vulnerability, log into an account and send an email while intercepting the request with Burp Suite. Change the 'from' parameter to the victim's email address and send the request. The server will respond indicating that the email was successfully sent on behalf of the other user.

Remediation

Implement strict server-side authorization checks to ensure users can only perform actions on resources they are authorized to access. Verify that the authenticated user owns the email identity being used as the sender.