[horde] Security related.

Anant Athavale asa at isac.gov.in
Tue May 22 09:16:56 UTC 2007


Quoting Anant Athavale <asa at isac.gov.in>:

> Quoting Chuck Hagenbuch <chuck at horde.org>:
>
>> Quoting Anant Athavale <asa at isac.gov.in>:
>>
>>> One of my colleague is developing an application in VB.  He says, he
>>> is able to send an email to a person without logging in through
>>> browser (He is sending the login parameters to HTTP Server directly
>>> and later sending compose.php parameters directly through VB).  He
>>> came to me telling that, I am unable to attach any files using this
>>> method and hence came to know about this.
>>>
>>> In our setup, we do not want such a thing to work.  We already have
>>> setup firewall to prevent direct connectivity to port 25 (Mail port)
>>> on the mail server.  Actually, we have locked from_address to
>>> prevent  forged mails.  Can he escape from this check, if he uses
>>> this method?
>>
>> Nope. He's just using VB like a browser. He can't do anything you
>> can't do from a browser.
>
> but, how does the session is maintained?
>
>>> What steps do u recommend to prevent this.
>>
>> You'd need something like a CAPTCHA on the login page.
>
> OK.
>
>>
>>> We are using all latest stable releases of HORDE 3.1.
>>>
>>> I am attaching the two PHP files, using which he is sending mails.
>>
>> Nothing attached.
>
> It was in my sent mail.  I do not know, how it missed in the list.
> Attaching again.
>
>
>
>>
>> -chuck
>> --
>> Horde mailing list - Join the hunt: http://horde.org/bounties/#horde
>> Frequently Asked Questions: http://horde.org/faq/
>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>
>
>
>
> Regards,
>
> Anant Athavale.



Regards,

Anant Athavale.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose.php
Type: application/x-php
Size: 21363 bytes
Desc: not available
Url : http://lists.horde.org/archives/horde/attachments/20070522/1bf9331a/attachment-0002.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: login.php
Type: application/x-php
Size: 2499 bytes
Desc: not available
Url : http://lists.horde.org/archives/horde/attachments/20070522/1bf9331a/attachment-0003.bin 


More information about the horde mailing list