[horde] Horde 3 expand.php exploit?
Nathan Lager
nathan at accufind.com
Thu Jan 24 18:35:28 UTC 2008
Yep, not too long after I sent the message, I was able to track him down
using horde's logs. Turns out he's a recent new user.
Not any more.
Thanks!
-----------------------------------------
Nathan
Network Administrator
Accu-Find Internet Services
1-888-WEB-3371
-----Original Message-----
From: horde-bounces at lists.horde.org
[mailto:horde-bounces at lists.horde.org] On Behalf Of Jan Schneider
Sent: Thursday, January 24, 2008 12:44 PM
To: horde at lists.horde.org
Subject: Re: [horde] Horde 3 expand.php exploit?
Zitat von Nathan Lager <nathan at accufind.com>:
> We have what appears to be an exploit in our horde 3 install.
>
> It looks like someone has used our webmail application to send out a
ton
> of Spam.
>
> Looking through my access logs, I found things like this:
>
>
/imp/expand.php?actionID=expand_addresses&field_name=bcc&field_value=som
> ename%4somedomain%2C%20someothername%4someotherdomain
>
> Each entry had about 50 addresses at a time.
>
> I don't know that this in itself is the exploit, but it definitely IS
> the attacker.
>
> At this point I cant be sure if he exploited the application, or
> actually compromised a user's mailbox.
Neither. He simply uses your webmail interface. This is a regular
user, with valid credentials. Where he got them from is a different
question.
Jan.
--
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/
--
Horde mailing list - Join the hunt: http://horde.org/bounties/#horde
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: horde-unsubscribe at lists.horde.org
More information about the horde
mailing list