You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Thibaut SAUTEREAU (JIRA)" <se...@james.apache.org> on 2017/11/28 07:24:00 UTC
[jira] [Created] (JAMES-2240) Use of MD5 for checksum to index
email body
Thibaut SAUTEREAU created JAMES-2240:
----------------------------------------
Summary: Use of MD5 for checksum to index email body
Key: JAMES-2240
URL: https://issues.apache.org/jira/browse/JAMES-2240
Project: James Server
Issue Type: Bug
Components: James Core
Affects Versions: master
Reporter: Thibaut SAUTEREAU
In the MBoxMailRepository class, the generateKeyValue() function uses MD5 to compute a key, which is supposed to be unique in order to then index every single email body.
However, MD5 is vulnerable to lots of collisions and an attacker could manage to replace (understand "overwrite") an existing indexed email body by another one, leading to many potential abuses.
A more cryptographically secure hash function such as SHA-256 or SHA-512 should be used instead.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org