[32616] in bugtraq
Pieterpost - access to "vitual" account
daemon@ATHENA.MIT.EDU (datasink@op.pl)
Sat Nov 29 11:34:24 2003
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: 7BIT
MIME-Version: 1.0
Date: Sat, 29 Nov 2003 15:08:39 +0100
From: datasink@op.pl
To: bugtraq@securityfocus.com
Message-Id: <20031129140846Z648794-4779+2@kps1.test.onet.pl>
Hello bugtraq readers and writers !
name: PieterPost 0.10.6
homepage: http://todsah.nihilist.nl/index.php?p=Development/Projects/Pieterpost
about: "PieterPost is a webbased interface to a pop3 mailbox. It is designed to be
both small and easy to use"
what: entering url http://server.com/pp.php?action=login anyone can get access
to "virtual" account.
I don't think that can be a big vuln, but at this moment anyone can send spam
from such server and fake e-mail's. This work only with default configuration
(localhost as pop3 server) and weak MTA agent - posible to change From header
sending from localhost.
