[horde] Security related.
Anant Athavale
asa at isac.gov.in
Tue May 22 09:11:44 UTC 2007
Quoting Chuck Hagenbuch <chuck at horde.org>:
> Quoting Anant Athavale <asa at isac.gov.in>:
>
>> One of my colleague is developing an application in VB. He says, he
>> is able to send an email to a person without logging in through
>> browser (He is sending the login parameters to HTTP Server directly
>> and later sending compose.php parameters directly through VB). He
>> came to me telling that, I am unable to attach any files using this
>> method and hence came to know about this.
>>
>> In our setup, we do not want such a thing to work. We already have
>> setup firewall to prevent direct connectivity to port 25 (Mail port)
>> on the mail server. Actually, we have locked from_address to
>> prevent forged mails. Can he escape from this check, if he uses
>> this method?
>
> Nope. He's just using VB like a browser. He can't do anything you
> can't do from a browser.
but, how does the session is maintained?
>> What steps do u recommend to prevent this.
>
> You'd need something like a CAPTCHA on the login page.
OK.
>
>> We are using all latest stable releases of HORDE 3.1.
>>
>> I am attaching the two PHP files, using which he is sending mails.
>
> Nothing attached.
It was in my sent mail. I do not know, how it missed in the list.
Attaching again.
>
> -chuck
> --
> Horde mailing list - Join the hunt: http://horde.org/bounties/#horde
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>
Regards,
Anant Athavale.
More information about the horde
mailing list