Re: AMaViS-ng 0.1.6.x and postfix: possible open relay and mail loss

From: Hilko Bengen (bengen+amavis@hilluzination.de)
Date: 04/09/03

  • Next message: KF: "repost: SRT2003-04-01-1231 - Progress DLC overflows"
    To: bugtraq@securityfocus.com
    From: Hilko Bengen <bengen+amavis@hilluzination.de>
    Date: Wed, 09 Apr 2003 15:55:47 +0200
    
    

    Phil Cyc <ajEA3UMBepQ4MRExDmm0qbFeeQEJtffpg.1@protected.unixadm.org>
    writes:

    > with postfix using AMaViS-ng 0.1.6.x (tested: 0.1.6.2 and 0.1.6.3;
    > 0.1.4.x is
    > not vulnerable), all email gets forwarded to the address specified by the
    > "To:" header line, ignoring the real recipient given via "RCPT TO:".

    [...]

    As the main developer of AMaViS-ng, I would like to make three
    comments at this time:

    (1) Unfortunately, Phil did not contact me or any other AMaViS
    developer, neither via private mail nor by sending a message to
    security@amavis.org, before posting to Bugtraq. He did post to the
    amavis-user list on Mon, 7 Apr 2003 00:33:52 +0200 (see:
    http://sourceforge.net/mailarchive/message.php?msg_id=4298123), which
    was only about 14h before posting to this list. "Prior notice" is
    something else in my dictionary.

    Neither did he inform anyone from the AMaViS development team of his
    posting to this list. I only became aware of it because other
    subscribers pointed me to his article.

    (2) The issue is being investigated at the moment and I will post
    updates when we know more about it.

    (3) Using the information from Phil's posting to this list, we have
    not been able to confirm the vulnerability so far. We hope to get this
    issue sorted out soon.

    Regards,
    -Hilko


  • Next message: KF: "repost: SRT2003-04-01-1231 - Progress DLC overflows"

    Relevant Pages

    • CVE-2014-2570 - php-font-lib 0.3 www/make_subset.php Reflected Cross Site Script
      ... 2014-03-19 - Developer notified. ... The Subset maker of the affected php-font-lib versions is vulnerable ... Vulnerability: Reflected Cross-site Scripting ...
      (Bugtraq)
    • Re: [Full-disclosure] Fwd: 0-DAY XSS of cforms II is now fixed after a year and four months
      ... I think his the response is not good. ... his response to my first contact (and my vulnerability report) wasn't proper. ... Of course actions of Secunia was more harmful, and the developer was of course bad. ... is brought by Rodrigo Branco and Wagner Elias. ...
      (Full-Disclosure)
    • Mod_gzip Debug Mode Vulnerabilities
      ... Developer URL: http://www.sourceforge.net/projects/mod-gzip ... "mod_gzip is an Internet Content Acceleration module for the popular Apache ... Vulnerability Description ... The impact of these issues on production sites should be minimal. ...
      (Bugtraq)
    • [Full-Disclosure] Mod_gzip Debug Mode Vulnerabilities
      ... Developer URL: http://www.sourceforge.net/projects/mod-gzip ... "mod_gzip is an Internet Content Acceleration module for the popular Apache ... Vulnerability Description ... The impact of these issues on production sites should be minimal. ...
      (Full-Disclosure)
    • Re: Oracle Pl/SQl, Wilton, Connecticut
      ... This is Mac, - Recruitment and Resources from SancroSoft USA Inc. ... Position for a strong Oracle PLSQL developer. ... Strong time management skills and proven ability to manage ... you're posting from the IP address 61.12.48.226. ...
      (comp.databases.oracle.server)