Subject: security issue on postage Date: Thu, 17 Jan 2002 18:28:13 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0060_01C19F84.B8EFD770" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Content-Length: 6188 This is a multi-part message in MIME format. ------=_NextPart_000_0060_01C19F84.B8EFD770 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi Dr. Fox, I have thinking on how secure our system in publishing e-mail messages = on jms server. I can say that if a malicious user get anyuser's e-mail = address he can send any message into our system. And I know that = changing sender name, email , and message id is not that difficult in = mail header. I am sending to you another mail which seems from indiana = university to show this case. My suggestion is we should a keyword or = password -which not a password- to publish messages into jms. This = keyword/password is different from the jetspeed or his/her email = password. We use that only in checking before publishing and we remove = it from the original messages after publishing it so nobody can see it. = Therefore, I think we add a field in our schema for that password. = =20 newsmessage Ali Kaplan adr!wer Community Grids Project Reports
1/16/2002 ------=_NextPart_000_0060_01C19F84.B8EFD770 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Hi Dr. Fox,

I have thinking on how secure our = system in=20 publishing e-mail messages on jms server. I can say that if a malicious = user get=20 anyuser's e-mail address he can send any message into our system. And I = know=20 that changing sender name, email , and message id is not that = difficult in=20 mail header. I am sending to you another mail which seems from = indiana=20 university to show this case. My suggestion is we should a keyword or = password=20 -which not a password- to publish messages into jms. This = keyword/password is=20 different from the jetspeed or his/her email password. We use that only = in=20 checking before publishing and we remove it from the original messages = after=20 publishing it so nobody can see it. Therefore, I think we add a field in = our=20 schema for that password.

<?xml = version=3D"1.0"?>
<okc version=3D"3"=20 xmlns=3D"http://grids= .ucs.indiana.edu/okc/schema/admin/ver/3">
   =20 <event>
        <category = main=3D"facility"
        &nbs= p;  =20 xmlns:xsi=3D"http://www.w3.org/2001= /XMLSchema-instance"

          &nbs= p;=20 xsi:type=3D"java:commgridsv1.xsd.schema.Category"/>   &= nbsp;
&nbs= p;      =20 <messageType
         =   =20 xmlns:xsi=3D"http://www.w3.org/2001= /XMLSchema-instance"

          &nbs= p;=20 xsi:type=3D"java:commgridsv1.xsd.schema.MessageType">newsmessage</m= essageType>
        = <comment></comment>
     = ;  =20 <sender email=3D"alikapla@indiana.edu">Ali=20 Kaplan</sender>

       =20 <publishkey>adr!wer</publishkey>
    &= nbsp;  =20 <distribution>Community Grids Project=20 Reports</distribution>
       = ;=20 <update=20 createuri=3D"gxos://okc/newsgroups/cgreports/$next"/>
  &= nbsp;    =20 <keywords></keywords>
      = =20 <subject></subject>
      &n= bsp;=20 <message><br/>
        = </message>
       =20 <filingdate>1/16/2002</filingdate>
    = ;   =20 <references>
        &nb= sp;  =20 <reference=20 uri=3D"gxos://okc/newsgroups/cgreports/197"/>
   &nb= sp;   =20 </references>
   =20 </event>
</okc>

------=_NextPart_000_0060_01C19F84.B8EFD770--