[imp] Horde-imp as open relay.
Michael M Slusarz
slusarz at horde.org
Fri Mar 27 16:26:54 UTC 2009
Quoting Duane Zimmer <duane.zimmer at yourlinkinc.net>:
> Hey all,
>
> I have two error messages on two different servers. I am using
> horde 3.3 and imp 4.3 on a Linux Gentoo Servers. Originally
> someone found a way to send messages using compose.php script and
> they used my two domains as relays via imp. I updated to the
> current versions above but on the one server they are still able to
> send through but I have enable policyd and limited sending from my
> webmail and I am blocking senders, I base my blocking on the apache
> access log
>
> 196.3.183.72 - - [26/Mar/2009:09:19:21 -0600] "GET
> /horde/imp/compose.php?mailbox=INBOX&uniq=1238080491000 HTTP/1.1"
> 200 6305
This has appeared on the mailing list numerous times. There is no
security issue in IMP. This can only happen if the attacker has
obtained a username/password to login as. Newer versions of IMP have
rate limiting for senders to workaround this issue.
> After the upgrade on the other server I have a
>
> PHP Notice: Undefined variable: editor in
> /var/www/localhost/htdocs/horde/imp/lib/UI/Compose.php
This is a config file issue. Or the (extremely) rare case where
'tinymce' was previously your default jseditor (it was removed in
later releases).
michael
--
___________________________________
Michael Slusarz [slusarz at horde.org]
More information about the imp
mailing list