I've been using Roundcube as my main web mail applicaition now for a few months.  A couple of days ago I sent an email out to a list of recipients (about 20 friends), all in the BCC field, in order to prevent people from replying to everyone on the list.  One reply I received was from someone asking why they could see everyone's email address in the BCC field.

I've just upgraded to the latest CVS version (about 10 minutes ago), and tested again.  It seems that RoundCube is including the BCC header as a regular header in the email and thus it's being sent to everyone.  Fortunately I was just using the BCC header to control replies and it didn't really matter that others could see each others info.  But this has the potential to cause some serious problems.  Imagine emailing your girlfriend explaining how she's not being rational, and bccing a buddy cause it's so funny, and then she see's you'd bcced him!  Not going to be a fun time! lol.

My Config:  Using PHP 4.3.10, on Apache 1.3.  qmail is the smtp server, and RoundCube is configured to use smtp, not mail().

--
Dave