[horde] Security related.

Anant Athavale asa at isac.gov.in
Tue May 22 09:11:44 UTC 2007

Quoting Chuck Hagenbuch <chuck at horde.org>:

> Quoting Anant Athavale <asa at isac.gov.in>:
>> One of my colleague is developing an application in VB.  He says, he
>>  is able to send an email to a person without logging in through
>> browser (He is sending the login parameters to HTTP Server directly
>> and later sending compose.php parameters directly through VB).  He
>> came to me telling that, I am unable to attach any files using this
>> method and hence came to know about this.
>> In our setup, we do not want such a thing to work.  We already have
>> setup firewall to prevent direct connectivity to port 25 (Mail port)
>>  on the mail server.  Actually, we have locked from_address to
>> prevent  forged mails.  Can he escape from this check, if he uses
>> this method?
> Nope. He's just using VB like a browser. He can't do anything you
> can't do from a browser.

but, how does the session is maintained?

>> What steps do u recommend to prevent this.
> You'd need something like a CAPTCHA on the login page.


>> We are using all latest stable releases of HORDE 3.1.
>> I am attaching the two PHP files, using which he is sending mails.
> Nothing attached.

It was in my sent mail.  I do not know, how it missed in the list.  
Attaching again.

> -chuck
> --
> Horde mailing list - Join the hunt: http://horde.org/bounties/#horde
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org


Anant Athavale.

More information about the horde mailing list