Your message dated Tue, 19 Aug 2008 18:27:09 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Re: [pkg-horde] Bug#495554: Bug#495554: imp4: It can be use to
inject email thought Imp
has caused the Debian Bug report #495554,
regarding imp4: It can be use to inject email thought Imp
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
495554: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495554
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: imp4
Version: 4.1.3-4
Severity: grave
Tags: security
Justification: user security hole
Imp4 allows spammer to inject email throught it with out login.
this is an example:
80.30.19.50 - - [11/Aug/2008:19:26:31 -0400] "GET /imp/expand.php
HTTP/1.1" 200 243
"http://mail.domain.tld/imp/compose.php?thismailbox=INBOX&uniq=1218497650159";
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322;.NET CLR
2.0.50727)"
80.30.19.50 - - [11/Aug/2008:19:31:13 -0400] "GET
/imp/expand.php?actionID=expand_addresses&field_name=bcc&field_value=-shayna-maydle-%40excite.com%2C%2005%40hotmail.com%2C%20100.218017%40germanynet.de%2C%2012645%40msn.com%2C%201633%40hotmail.com%2C%201964%40yahoo.com%2C%201%401.com%2C%201I%40HOTMAIL.COM%2C%201ofthegoodguys%40go.com%2C%201wmrnhbus%40treddmd.com%2C%20202-0549%40mcimail.com%2C%2025%40earthlink.net%2C%2025%40yahoo.com%2C%202manyids%40corvettefun.com%2C%2031299%40yahoo.com%2C%20373%40hotmail.com%2C%2039ya7%40rocketmail.com%2C%203par%40msn.com%2C%2041392%4041392.br%2C%204kerrs%40cableregina.com%2C%20514alsoo%40alatavissta.com%2C%20517%40yahoo.com%2C%205402%40student-mail.jsu.edu%2C%2078019%40udel.edu%2C%207m%40work.com%2C%208adgihf%40maill.com%2C%208gk%40aquaed.de%2C%208rlkges%40usaa.com%2C%209loucke%40fontbonne.edu%2C%20ANNBRUCE%40SCCOAST.NET%2C%20AT..toyotaregister%40hotmail.com%2C%20Amanda090%40webtv.co%2C%20BASkeen27%40aol.com%2C%20BSGReunion58%40aol.com%2C%20BThomas688%40aol.com%2C%20Bama%40yahoo.com%2C%20Bckboys3%40aol.com%2C%20Beans%40aol.com%2C%20Benjstr%40prodigy.net%2C%20BethGerace%40aol.com%2C%20Bhand%40aol.com%2C%20Budda216%40aol.com%2C%20CBRAD1546%40AOL.COM%2C%20CDCA%40WANADOO.FR%2C%20CJM1993%40aol.com%2C%20CPANOT%40AOL.COM%2C%20CUDAGRL040872%40YAHOO.COM%2C%20DC1000%40AOL.COM%2C%20DGUMBITA%40STARPOWER.NET%2C%20Darksaber76%40hotmail.com%2C%20Datkison%40yahoo.com%2C%20Discolady1349%40cs.com%2C%20EDMR2%40WEBTV.NET%2C%20Esgstone37%40aol.Com%2C%20GARYOLSEN%40AOL.COM%2C%20GSLATER%40IPA.NET%2C%20GSRcivic7%40hotmail.com%2C%20GaMaCBaker%40cs.comWent%2C%20GoLela%40aol.com%2C%20Gsmall1835%40aol.com%2C%20HOTSUSIE%40VERIZON.NET%2C%20Hecsr5%40hotmail.com%2C%20Hermelindoperez%40msn.com%2C%20HlthSolutn%40aol.com%2C%20HolJL%40aol.com%2C%20Hotheat100%40aol.com%2C%20Hovindfam%40aol.com%2C%20JAMMYDODGERS2000%40HOTMAIL.COM%2C%20JEDRN67%40aol.com%2C%20JMRIVERA0469%40BELLSOUTH.NET%2C%20JPYTHON%40WEBTV.NET%2C%20JWeiner576%40aol.com%2C%20Jabbajar%40yahoo.com%2C%20Jadim274%40aol.com%2C%20JaysAccounts%40yahoo.com%2C%20John.p.sousa%40citigroup.com%2C%20JohnanaSyl%40pronet.ne
HTTP/1.1" 200 1106 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET
CLR 1.1.4322; .NET CLR 2.0.50727)"
So i cannot block expand.php because this is use by the user that log
into the systen to send email..... but besides the spammers are abusing
the system.
Someone with this problem?
Regards.
Michael.-
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
--- End Message ---
--- Begin Message ---
Hello,
On Tue, Aug 19, 2008 at 09:59:39AM -0400, Michael Fernández M wrote:
> > >
> > > > Are you sure spammers don't use a stolen login/password?
> > >
> > > Ohhh, yea!, so much.
> >
> > I'm sorry to insist but are you *really* sure? Because here[*]
> > there was a similar question and upstream author said it's from a
> > regular user. Could you try to track him in horde's logs?
> > Could you also give the version of your horde3 package?
> >
> > [*]http://marc.info/?l=horde&m=120119991901767&w=2
>
> You know, you were right.. they stolen some user/pass.
> I will monitor the logs, and looking for something strange.
>
> Thanks!
Ok, I close the bug.
Regards,
--
Gregory Colpart <[EMAIL PROTECTED]> GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/
--- End Message ---
