Home page logo

bugtraq logo Bugtraq mailing list archives

PCL-0001: Remote Vulnerability in HORDE MTA < 2.2.4
From: Vincenzo 'puccio' Ciaglia <puccio () pucciolab org>
Date: Wed, 13 Aug 2003 23:26:18 +0200


PCL-0001: Remote Vulnerability in HORDE MTA < 2.2.4

PuCCiOLAB.ORG Security Advisories                      puccio () pucciolab org
http://www.pucciolab.org                          Vincenzo 'puccio' Ciaglia
August 12th, 2003                       

Package        : Horde MTA
Vulnerability  : access to private account without login
Problem-Type   : remote
Version        : All < 2.2.4 
Official Site  : http://horde.org/
N° Advisories  : 0001

Description of problem 
An attacker could send an email to the victim who ago use of HORDE MTA in order to push it to visit a website. The 
website in issue log all the accesses and describe in the particular the origin of every victim.


In this example, the victim has visualized our website reading the mail that we have sent to it. Visiting the link 
marked from our counter of accesses, we will be able to approach the page of management of the mail of the victim and 
will be able to read and to send, calmly, its email without to make the login.The session comes sluice after 
approximately 20 minutes and the hacker it has the time to make its comfortable ones.

What could make a attacker?
Read, write and fake your e-mail. Could send , from you email address, a mail to your ISP and ask it User e PASS of 
your website.The consequences would be catastrophic

What I can do ?
Upgrade your MTA Agent to 2.2.4 version. 

Vincenzo 'puccio' Ciaglia

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]