[horde] Security related.
Chuck Hagenbuch
chuck at horde.org
Thu May 17 15:07:47 UTC 2007
Quoting Anant Athavale <asa at isac.gov.in>:
> One of my colleague is developing an application in VB. He says, he
> is able to send an email to a person without logging in through
> browser (He is sending the login parameters to HTTP Server directly
> and later sending compose.php parameters directly through VB). He
> came to me telling that, I am unable to attach any files using this
> method and hence came to know about this.
>
> In our setup, we do not want such a thing to work. We already have
> setup firewall to prevent direct connectivity to port 25 (Mail port)
> on the mail server. Actually, we have locked from_address to
> prevent forged mails. Can he escape from this check, if he uses
> this method?
Nope. He's just using VB like a browser. He can't do anything you
can't do from a browser.
> What steps do u recommend to prevent this.
You'd need something like a CAPTCHA on the login page.
> We are using all latest stable releases of HORDE 3.1.
>
> I am attaching the two PHP files, using which he is sending mails.
Nothing attached.
-chuck
More information about the horde
mailing list