[pkg-horde] Bug#495554: imp4: It can be use to inject email thought Imp

Michael michael at michael.cl
Mon Aug 18 14:39:59 UTC 2008


Package: imp4
Version: 4.1.3-4
Severity: grave
Tags: security
Justification: user security hole

Imp4 allows spammer to inject email throught it with out login.

this is an example:
80.30.19.50 - - [11/Aug/2008:19:26:31 -0400] "GET /imp/expand.php
HTTP/1.1" 200 243 "http://mail.domain.tld/imp/compose.php?thismailbox=INBOX&uniq=1218497650159"
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322;.NET CLR 2.0.50727)"
80.30.19.50 - - [11/Aug/2008:19:31:13 -0400] "GET /imp/expand.php?actionID=expand_addresses&field_name=bcc&field_value=-shayna-maydle-%40excite.com%2C%2005%40hotmail.com%2C%20100.218017%40germanynet.de%2C%2012645%40msn.com%2C%201633%40hotmail.com%2C%201964%40yahoo.com%2C%201%401.com%2C%201I%40HOTMAIL.COM%2C%201ofthegoodguys%40go.com%2C%201wmrnhbus%40treddmd.com%2C%20202-0549%40mcimail.com%2C%2025%40earthlink.net%2C%2025%40yahoo.com%2C%202manyids%40corvettefun.com%2C%2031299%40yahoo.com%2C%20373%40hotmail.com%2C%2039ya7%40rocketmail.com%2C%203par%40msn.com%2C%2041392%4041392.br%2C%204kerrs%40cableregina.com%2C%20514alsoo%40alatavissta.com%2C%20517%40yahoo.com%2C%205402%40student-mail.jsu.edu%2C%2078019%40udel.edu%2C%207m%40work.com%2C%208adgihf%40maill.com%2C%208gk%40aquaed.de%2C%208rlkges%40usaa.com%2C%209loucke%40fontbonne.edu%2C%20ANNBRUCE%40SCCOAST.NET%2C%20AT..toyotaregister%40hotmail.com%2C%20Amanda090%40webtv.co%2C%20BASkeen27%40aol.com%2C%20BSGReunion58%40aol.com%2C%20BThomas688%40aol.com%2C%20Bama%40yahoo.com%2C%20Bckboys3%40aol.com%2C%20Beans%40aol.com%2C%20Benjstr%40prodigy.net%2C%20BethGerace%40aol.com%2C%20Bhand%40aol.com%2C%20Budda216%40aol.com%2C%20CBRAD1546%40AOL.COM%2C%20CDCA%40WANADOO.FR%2C%20CJM1993%40aol.com%2C%20CPANOT%40AOL.COM%2C%20CUDAGRL040872%40YAHOO.COM%2C%20DC1000%40AOL.COM%2C%20DGUMBITA%40STARPOWER.NET%2C%20Darksaber76%40hotmail.com%2C%20Datkison%40yahoo.com%2C%20Discolady1349%40cs.com%2C%20EDMR2%40WEBTV.NET%2C%20Esgstone37%40aol.Com%2C%20GARYOLSEN%40AOL.COM%2C%20GSLATER%40IPA.NET%2C%20GSRcivic7%40hotmail.com%2C%20GaMaCBaker%40cs.comWent%2C%20GoLela%40aol.com%2C%20Gsmall1835%40aol.com%2C%20HOTSUSIE%40VERIZON.NET%2C%20Hecsr5%40hotmail.com%2C%20Hermelindoperez%40msn.com%2C%20HlthSolutn%40aol.com%2C%20HolJL%40aol.com%2C%20Hotheat100%40aol.com%2C%20Hovindfam%40aol.com%2C%20JAMMYDODGERS2000%40HOTMAIL.COM%2C%20JEDRN67%40aol.com%2C%20JMRIVERA0469%40BELLSOUTH.NET%2C%20JPYTHON%40WEBTV.NET%2C%20JWeiner576%40aol.com%2C%20Jabbajar%40yahoo.com%2C%20Jadim274%40aol.com%2C%20JaysAccounts%40yahoo.com%2C%20John.p.sousa%40citigroup.com%2C%20JohnanaSyl%40pronet.ne
HTTP/1.1" 200 1106 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"

So i cannot block expand.php because this is use by the user that log
into the systen to send email..... but besides the spammers are abusing
the system.

Someone with this problem?

Regards.

Michael.-



-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)






More information about the pkg-horde-hackers mailing list