Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 26804
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Daniel Ahlberg (RETIRED) <aliz@gentoo.org>
Add CC:
CC:
URL:
Summary:
Status Whiteboard:
Keywords:

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 26804 depends on: Show dependency tree
Bug 26804 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2003-08-17 07:02 0000 
> --------------------------- 
> PUCCIOLAB.ORG - ADVISORIES 
> <http://www.pucciolab.org> 
> --------------------------- 
> 
> PCL-0001: Remote Vulnerability in HORDE MTA < 2.2.4 
> 
> --------------------------------------------------------------------------- 
> PuCCiOLAB.ORG Security Advisories                      puccio@pucciolab.org 
> http://www.pucciolab.org                          Vincenzo 'puccio' Ciaglia 
> August 12th, 2003 
> --------------------------------------------------------------------------- 
> 
> Package        : Horde MTA 
> Vulnerability  : access to private account without login 
> Problem-Type   : remote 
> Version        : All < 2.2.4 
> Official Site  : http://horde.org/ 
> N

------- Comment #1 From Daniel Ahlberg (RETIRED) 2003-08-17 07:02:02 0000 ------- 
> --------------------------- 
> PUCCIOLAB.ORG - ADVISORIES 
> <http://www.pucciolab.org> 
> --------------------------- 
> 
> PCL-0001: Remote Vulnerability in HORDE MTA < 2.2.4 
> 
> --------------------------------------------------------------------------- 
> PuCCiOLAB.ORG Security Advisories                      puccio@pucciolab.org 
> http://www.pucciolab.org                          Vincenzo 'puccio' Ciaglia 
> August 12th, 2003 
> --------------------------------------------------------------------------- 
> 
> Package        : Horde MTA 
> Vulnerability  : access to private account without login 
> Problem-Type   : remote 
> Version        : All < 2.2.4 
> Official Site  : http://horde.org/ 
> N° Advisories  : 0001 
> 
> *********************** 
> Description of problem 
> ************************ 
> An attacker could send an email to the victim who ago use of HORDE MTA in 
> order to push it to visit a website. The website in issue log all the 
> accesses and describe in the particular the origin of every victim. 
> 
> Example: 
> ------------------- 
> MY STAT FOR MY WEBSITE - REFERENT DOMAIN 
> 
HTTP://MYSITE.MYSOCIETY.NET/HORDE/IMP/MESSAGE.PHP?HORDE=FC235847D2C8A88190C 
>879B290D12630&INDEX=XXX 
> 
> In this example, the victim has visualized our website reading the mail 
> that we have sent to it. Visiting the link marked from our counter of 
> accesses, we will be able to approach the page of management of the mail of 
> the victim and will be able to read and to send, calmly, its email without 
> to make the login.The session comes sluice after approximately 20 minutes 
> and the hacker it has the time to make its comfortable ones. 
> 
> ************************* 
> What could make a attacker? 
> ************************* 
> Read, write and fake your e-mail. Could send , from you email address, a 
> mail to your ISP and ask it User e PASS of your website.The consequences 
> would be catastrophic 
> 
> ************************* 
> What I can do ? 
> ************************* 
> Upgrade your MTA Agent to 2.2.4 version. 
> 
> Greet, 
> Vincenzo 'puccio' Ciaglia 
> www.pucciolab.org

------- Comment #2 From Daniel Ahlberg (RETIRED) 2003-09-01 07:25:40 0000 ------- 
glsa sent
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug