You are viewing a plain text version of this content. The canonical link for it is here.

Posted to server-dev@james.apache.org by "Thibaut SAUTEREAU (JIRA)" <se...@james.apache.org> on 2017/11/28 07:24:00 UTC

[jira] [Created] (JAMES-2240) Use of MD5 for checksum to index email body

Thibaut SAUTEREAU created JAMES-2240:
----------------------------------------

             Summary: Use of MD5 for checksum to index email body
                 Key: JAMES-2240
                 URL: https://issues.apache.org/jira/browse/JAMES-2240
             Project: James Server
          Issue Type: Bug
          Components: James Core
    Affects Versions: master
            Reporter: Thibaut SAUTEREAU


In the MBoxMailRepository class, the generateKeyValue() function uses MD5 to compute a key, which is supposed to be unique in order to then index every single email body.

However, MD5 is vulnerable to lots of collisions and an attacker could manage to replace (understand "overwrite") an existing indexed email body by another one, leading to many potential abuses.

A more cryptographically secure hash function such as SHA-256 or SHA-512 should be used instead.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org