SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   PieterPost Vendors:   Boender, Ferry
PieterPost Virtual Account May Let Remote Users Send Anonymous E-mail
SecurityTracker Alert ID:  1008340
SecurityTracker URL:  http://securitytracker.com/id/1008340
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 1 2003
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 0.10.6
Description:   A vulnerability was reported in PieterPost. A remote user can access a generic e-mail account to send anonymous e-mail.

It is reported that a remote user can supply the following URL to gain access to a "virtual" account:

http://[target]/pp.php?action=login

A remote user can reportedly send anonymous e-mail from this account.

Impact:   A remote user may be able to send anonymous e-mail via the system.
Solution:   The vendor has released a fixed vesion (0.10.7), available at:

http://todsah.nihilist.nl/data/development/projects/pieterpost/files/pieterpost-0.10.7.tar.gz
http://todsah.nihilist.nl/index.php?p=Development/Projects/Pieterpost

Vendor URL:  todsah.nihilist.nl/index.php?p=Development/Projects/Pieterpost (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  Pieterpost - access to "vitual" account


Hello bugtraq readers and writers !

name: PieterPost 0.10.6
homepage: http://todsah.nihilist.nl/index.php?p=Development/Projects/Pieterpost
about: "PieterPost is a webbased interface to a pop3 mailbox. It is designed to be
           both small and easy to use"

what: entering url http://server.com/pp.php?action=login anyone can get access
         to "virtual" account.

 I don't think that can be a big vuln, but at this moment anyone can send spam
from such server and fake e-mail's. This work only with default configuration
(localhost as pop3 server) and weak MTA agent - posible to change From header
sending from localhost.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC