[pkg-horde] Bug#495554: Bug#495554: imp4: It can be use to inject email thought Imp

Gregory Colpart reg at evolix.fr
Mon Aug 18 14:36:04 UTC 2008


Hello,

On Mon, Aug 18, 2008 at 10:39:59AM -0400, Michael wrote:
> 
> Imp4 allows spammer to inject email throught it with out login.
> 
> this is an example:
> 80.30.19.50 - - [11/Aug/2008:19:26:31 -0400] "GET /imp/expand.php
> HTTP/1.1" 200 243 "http://mail.domain.tld/imp/compose.php?thismailbox=INBOX&uniq=1218497650159"
> "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322;.NET CLR 2.0.50727)"
> 80.30.19.50 - - [11/Aug/2008:19:31:13 -0400] "GET /imp/expand.php?actionID=expand_addresses&field_name=bcc&field_value=-shayna-maydle-%40excite.com%2C%2005%40hotmail.com%2C%20100.218017%40germanynet.de%2C%2012645%40msn.com%2C%201633%40hotmail.com%2C%201964%40yahoo.com%2C%201%401.com%2C%201I%40HOTMAIL.COM%2C%201ofthegoodguys%40go.com%2C%201wmrnhbus%40treddmd.com%2C%20202-0549%40mcimail.com%2C%2025%40earthlink.net%2C%2025%40yahoo.com%2C%202manyids%40corvettefun.com%2C%2031299%40yahoo.com%2C%20373%40hotmail.com%2C%2039ya7%40rocketmail.com%2C%203par%40msn.com%2C%2041392%4041392.br%2C%204kerrs%40cableregina.com%2C%20514alsoo%40alatavissta.com%2C%20517%40yahoo.com%2C%205402%40student-mail.jsu.edu%2C%2078019%40udel.edu%2C%207m%40work.com%2C%208adgihf%40maill.com%2C%208gk%40aquaed.de%2C%208rlkges%40usaa.com%2C%209loucke%40fontbonne.edu%2C%20ANNBRUCE%40SCCOAST.NET%2C%20AT..toyotaregister%40hotmail.com%2C%20Amanda090%40webtv.co%2C%20BASkeen27%40aol.com%2C%20BSGReunion58%40aol.com%2C%20BThomas688%40aol.com%2C%20Bama%40yahoo.com%2C%20Bckboys3%40aol.com%2C%20Beans%40aol.com%2C%20Benjstr%40prodigy.net%2C%20BethGerace%40aol.com%2C%20Bhand%40aol.com%2C%20Budda216%40aol.com%2C%20CBRAD1546%40AOL.COM%2C%20CDCA%40WANADOO.FR%2C%20CJM1993%40aol.com%2C%20CPANOT%40AOL.COM%2C%20CUDAGRL040872%40YAHOO.COM%2C%20DC1000%40AOL.COM%2C%20DGUMBITA%40STARPOWER.NET%2C%20Darksaber76%40hotmail.com%2C%20Datkison%40yahoo.com%2C%20Discolady1349%40cs.com%2C%20EDMR2%40WEBTV.NET%2C%20Esgstone37%40aol.Com%2C%20GARYOLSEN%40AOL.COM%2C%20GSLATER%40IPA.NET%2C%20GSRcivic7%40hotmail.com%2C%20GaMaCBaker%40cs.comWent%2C%20GoLela%40aol.com%2C%20Gsmall1835%40aol.com%2C%20HOTSUSIE%40VERIZON.NET%2C%20Hecsr5%40hotmail.com%2C%20Hermelindoperez%40msn.com%2C%20HlthSolutn%40aol.com%2C%20HolJL%40aol.com%2C%20Hotheat100%40aol.com%2C%20Hovindfam%40aol.com%2C%20JAMMYDODGERS2000%40HOTMAIL.COM%2C%20JEDRN67%40aol.com%2C%20JMRIVERA0469%40BELLSOUTH.NET%2C%20JPYTHON%40WEBTV.NET%2C%20JWeiner576%40aol.com%2C%20Jabbajar%40yahoo.com%2C%20Jadim274%40aol.com%2C%20JaysAccounts%40yahoo.com%2C%20John.p.sousa%40citigroup.com%2C%20JohnanaSyl%40pronet.ne
> HTTP/1.1" 200 1106 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
> 
> So i cannot block expand.php because this is use by the user that log
> into the systen to send email..... but besides the spammers are abusing
> the system.

Thanks for your report.

Are you sure spammers don't use a stolen login/password?
Are you sure mails are really sent?

Regards,
-- 
Gregory Colpart <reg at evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/





More information about the pkg-horde-hackers mailing list