[Tickets #5022] Re: Ability to sending email without login, spamming
bugs at bugs.horde.org
bugs at bugs.horde.org
Fri Mar 9 03:40:54 UTC 2007
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/?id=5022
-----------------------------------------------------------------------
Ticket | 5022
Updated By | Michael Slusarz <slusarz at horde.org>
Summary | Ability to sending email without login, spamming
Queue | IMP
Version | 3.2.8
Type | Bug
State | Not A Bug
Priority | 1. Low
Owners |
-----------------------------------------------------------------------
Michael Slusarz <slusarz at horde.org> (2007-03-08 19:40) wrote:
But you didn't answer Jan's question. There is *no* way to send a message
via IMP without first being authenticated. If you don't believe me, try
directly accessing compose.php directly (without any session information).
You will get a login screen instead. If not, your installation is
seriously broken.
The only way they could use IMP to send messages is if they hijacked the
session. And exactly like Jan told you, you need to upgrade since newer
versions of Horde have further protections against this kind of attack
(i.e. IP checking).
More information about the bugs
mailing list