viewmail.php forbidden

Report bugs and workarounds
Post Reply
monsi
Posts: 2
Joined: 06 Jun 2017 09:11

viewmail.php forbidden

Post by monsi » 06 Jun 2017 09:42

Hi all,

I've found an issue with viewing mail from the quarantined report.

When I click on the view link and I'm not logged in I get redirected to the login page, once I login the url gets modified replacing the & between token and id with & causing a forbidden message. If I manually correct it (once logged in) I am taken to the mail view, and if I place & back in the forbidden message returns.

Please can someone suggest what needs changing to fix this please!

EFA 3.0.2.3

monsi
Posts: 2
Joined: 06 Jun 2017 09:11

Re: viewmail.php forbidden

Post by monsi » 06 Jun 2017 10:35

As a quick and dirty fix I've modified the checklogin.php file to replace the & with &

So on line 168 replace

header('Location: ' . sanitizeInput($redirect_url));

with

header('Location: ' . str_replace('&', '&', sanitizeInput($redirect_url)));

This works correctly on the quick tests I've done, hope it helps :)

henk
Posts: 393
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: viewmail.php forbidden

Post by henk » 07 Jun 2017 21:11

Hi monsi,

Helps a lot indeed :clap:
before the change:

Code: Select all

https://eatspam.sinkhole.eu/mailscanner/viewmail.php?token=f595a4832fd0e0cbb8211933ede8f278aa17fbfe&id=A4CF9120245.ACCCD
after the change:

Code: Select all

https://eatspam.sinkhole.eu/mailscanner/viewmail.php?token=f595a4832fd0e0cbb8211933ede8f278aa17fbfe&id=A4CF9120245.ACCCD

User avatar
shawniverson
Posts: 2864
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: viewmail.php forbidden

Post by shawniverson » 07 Jun 2017 22:20

Version eFa 4.0.0 now available!

Post Reply