Hello, I, member of the Savane team, do not consider this to be a real issue.
Anyone using the related feature can easily be identified. This bug report is like sending a bug report to the author of a mail client saying "hey, this mail client can be used to send 100 mails!". Don't be ridiculous. But indeed, if you insist on filling our logs with simili cracking attempts, you are directly liable in regard of French Law. jeudi 23 juin, vers 1h, Joxean Koret dactylographia : > > --------------------------------------------------------------------------- > E-mail Flood Vulnerability in Savane Product > --------------------------------------------------------------------------- > > Author: Jose Antonio Coret (Joxean Koret) > Date: 2005 > Location: Basque Country > --------------------------------------------------------------------------- > > Affected software description: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Savane - 1.0.6 (Current) > > Savane is a Web-based Libre Software hosting system. It currently > includes issue > tracking (bugs, task, support), project and member management, mailing > lists, > and individual account maintenance. It is internationalised and > themable. It > depends on Apache, Perl (>= 5.6), PHP (>= 4.1.0) and MySQL. > > Web : https://gna.org/projects/savane > > --------------------------------------------------------------------------- > > E-Mail Flood > ~~~~~~~~~~~~ > > The 'forgot your password?' feature allows a remote user to load a > certain URL to > cause the service to send a validation e-mail to the specified user's > e-mail > address. There is no limit to the number of messages sent over a period > of time, > so a remote user can flood the target user's e-mail address. E-Mail > Flood => E-Mail bomber. > > The following is a "Proof Of Concept" of this vulnerability: > > [EMAIL PROTECTED] while [ true ]; do > > wget > https://gna.org/account/lostpw-confirm.php?form_loginname=<valid-username> > > done > > Other websites has been fixed these issues by limiting the number of > e-mails that can > be sended in an hour, day, etc... or by using a CAPTCHA > (http://www.captcha.net/) > method. > > For PHP (the language in which GForge is based) is possible to use a > modificated version > of the following good script, > http://www.phpclasses.org/browse/file/4147.html. This > is only a proof of concept of a CAPTCHA method that may help. I'm not > the author of > the script so, I'm not responsible if you uses without luck, sorry. > > Examples of other website that were vulnerables to the SAME > vulnerability are: > > GMail: http://securitytracker.com/alerts/2005/Jan/1012749.html > Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=250897 > Oracle Corporation (sorry, no link availabe ;) ) > > The fix: > ~~~~~~~~ > > There is no patch at the moment. Why? Quite easy to answer: > > Vendor was contacted at 25-Apr-2005 and at 27-May-2005 but I have no > response. > > Apparently, they don't think this is a vulnerability. > > Disclaimer: > ~~~~~~~~~~~ > > The information in this advisory and any of its demonstrations is > provided > "as is" without any warranty of any kind. > > I am not liable for any direct or indirect damages caused as a result of > using the information or demonstrations provided in any part of this > advisory. > > --------------------------------------------------------------------------- > > Contact: > ~~~~~~~~ > > Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es -- Mathieu Roy +---------------------------------------------------------------------+ | General Homepage: http://yeupou.coleumes.org/ | | Computing Homepage: http://alberich.coleumes.org/ | | Not a native english speaker: | | http://stock.coleumes.org/doc.php?i=/misc-files/flawed-english | +---------------------------------------------------------------------+ _______________________________________________ Savane-dev mailing list [email protected] https://mail.gna.org/listinfo/savane-dev
