[Tickets #11376] Re: Itip auto-accept confirmation requests
bugs at horde.org
bugs at horde.org
Sun Aug 26 20:07:47 UTC 2012
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/11376
------------------------------------------------------------------------------
Ticket | 11376
Updated By | arjen+horde at de-korte.org
Summary | Itip auto-accept confirmation requests
Queue | IMP
Version | Git master
Type | Enhancement
State | Assigned
Priority | 1. Low
Milestone |
Patch |
Owners | Horde Developers, Jan Schneider, Michael Rubinsky,
| Michael Slusarz
------------------------------------------------------------------------------
arjen+horde at de-korte.org (2012-08-26 20:07) wrote:
> Sure. An attacker needs to at least know the information that an
> event exists and the details of the event, so that rules out random
> auto-sent e-mails from being a concern.
>
> But within a user's group of contacts (especially if an event has
> many potential attendees), this information is not difficult to
> obtain. So it's not a tremendously difficult attack either.
That depends. Within an organization (for "local" addresses) it is
trivial to prevent users from forging sender addresses. In that case
there is no attack vector, since people will not be able to forge
replies. But this is only the case for addresses we know are local,
replies from external (non-local) users should probably never be
auto-accepted. At the very least, there should be an option to treat
local and non-local users differently.
More information about the bugs
mailing list