[horde] Security related.

Chuck Hagenbuch chuck at horde.org
Thu May 17 15:07:47 UTC 2007

Quoting Anant Athavale <asa at isac.gov.in>:

> One of my colleague is developing an application in VB.  He says, he  
>  is able to send an email to a person without logging in through   
> browser (He is sending the login parameters to HTTP Server directly   
> and later sending compose.php parameters directly through VB).  He   
> came to me telling that, I am unable to attach any files using this   
> method and hence came to know about this.
> In our setup, we do not want such a thing to work.  We already have   
> setup firewall to prevent direct connectivity to port 25 (Mail port)  
>  on the mail server.  Actually, we have locked from_address to  
> prevent  forged mails.  Can he escape from this check, if he uses  
> this method?

Nope. He's just using VB like a browser. He can't do anything you  
can't do from a browser.

> What steps do u recommend to prevent this.

You'd need something like a CAPTCHA on the login page.

> We are using all latest stable releases of HORDE 3.1.
> I am attaching the two PHP files, using which he is sending mails.

Nothing attached.


More information about the horde mailing list