https://bz.apache.org/ooo/show_bug.cgi?id=127360

          Issue ID: 127360
        Issue Type: DEFECT
           Summary: DMARC Security Missing in your domain
           Product: Infrastructure
           Version: current
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P5 (lowest)
         Component: Website general issues
          Assignee: issues@openoffice.apache.org
          Reporter: pc_master...@yahoo.com
  Target Milestone: ---

Created attachment 85985
  --> https://bz.apache.org/ooo/attachment.cgi?id=85985&action=edit
DMARC Security Missing in your domain

Sir, we found DMARC Security Missing in your domain


Description and Impact

We found that your domain is vulnerable to Malware Injection as the fake mail
headers are not blocked. We tried to send a fake mail through open smtp and
found the mail reaching our server. any attacker can take advantage of this
situation and inject advance attack vector into the client side using trust of
your domain

Reproduction Instructions/Proof of Concept

Here are the steps to reproduce:

We created a test bed of vul link and bound to a local website using BeEF
Framework (The Browser Exploitation Framework). Details of Framework and
working can be found on http://beefproject.com/

So a testbed of http://malware.localhost/ link was created using the above
step.

Then an open SMTP server was used, there are many that can be found let's say
or https://emkei.cz/ or https://anonymousemail.me/

Then a trusted mail from your domain was sent to one of our team members.

Due to Missing Fake Header Checks, the Mail shipped directly to our inbox.

I am attaching a simple POC along this form to make it more clear. This is a
serious flaw and has been handled by many companies using Domain-based Message
Authentication, Reporting and Conformance (DMARC). For eg: If you try to send a
fake mail using facebook domain like ad...@facebook.com it will not be
delivered to the inbox of any client for any public mail like yahoo, Gmail, and
outlook. But the same is happening in your domain.

Please path this flaw, in case you need any further info you can revert me
back.

Regards,
Sadik Shaikh

-- 
You are receiving this mail because:
You are the assignee for the issue.

Reply via email to