> On Dec 4, 2016, at 12:58 AM, @lbutlr wrote:
>
>> MAIL FROM<"> type='text/javascript'>alert('xss');"@example.com>
>
> That result in "501 5.5.4 Syntax: MAIL FROM:"
There's a missing ":" after FROM. In any case, even if a particular
exploit mechanism fails, or even all
On 12/3/16 2:57 PM, Wietse Venema wrote:
Proof of concept:
MAIL FROM<"alert('xss');"@example.com>
That result in "501 5.5.4 Syntax: MAIL FROM:"
Wietse Venema:
> @ lbutlr:
> > > Careful with that. To easy to create a script injection vector. Bash is
> > > not
> > > a good language in which to construct safely quoted remote content for
> > > injection
> > > into a suitable HTML skeleton.
> >
> > Injection from where? the script is only
@ lbutlr:
> > Careful with that. To easy to create a script injection vector. Bash is
> > not
> > a good language in which to construct safely quoted remote content for
> > injection
> > into a suitable HTML skeleton.
>
> Injection from where? the script is only accessible to the root user on
rich.gre...@hushmail.com:
> $ telnet example.com 25
> Trying 87.138.xxx.yyy...
> Connected to example.com.
> Escape character is '^]'.
> 220 example.com ESMTP Postfix (Ubuntu)
> ehlo example.com
> 250-example.com
> 250-PIPELINING
> 250-SIZE 1024
> 250-VRFY
> 250-ETRN
> 250-STARTTLS
> 250-AUTH
rich.gre...@hushmail.com:
> I suspected that was a typo. I figured it out.
>
> I made those changes, when I attempt an AUTH LOGIN, I get back "535 5.7.8
> Error: authentication failed: UGFzc3dvcmQ6" which seems to be appropriate.
You still have AUTH enabled on port 25.
Wietse
On 12/3/2016 at 10:45 AM, "John Fawcett" wrote:
>
>On 12/03/2016 05:25 PM, rich.gre...@hushmail.com wrote:
>> Here I am, replying to my own post again. What I said in the
>prior post wasn't entirely true. I realized that I used the wrong
>password in my prior attempt.
El 03/12/16 a las 17:25, rich.gre...@hushmail.com escribió:
> So I'm somewhat confused how to prevent/discourage users from sending
> their authentication detail in the clear when there are secure methods
> that exist (such as, $ openssl s_client -starttls smtp -connect
> example.com:587)
We
On 12/3/16 9:53 AM, Bastian Blank wrote:
On Sat, Dec 03, 2016 at 09:44:03AM -0700, @lbutlr wrote:
Injection from where? the script is only accessible to the root user
on the mail server and only checks /var/log/maillog (or the log
specified at the top of the script). There's no remote content
On Sat, Dec 03, 2016 at 09:44:03AM -0700, @lbutlr wrote:
> Injection from where? the script is only accessible to the root user
> on the mail server and only checks /var/log/maillog (or the log
> specified at the top of the script). There's no remote content
> involved.
The contents of the log
correcting my own typo now
On 12/03/2016 05:44 PM, John Fawcett wrote:
> On 12/03/2016 05:25 PM, rich.gre...@hushmail.com wrote:
>> Here I am, replying to my own post again. What I said in the prior post
>> wasn't entirely true. I realized that I used the wrong password in my prior
>>
On 12/03/2016 05:25 PM, rich.gre...@hushmail.com wrote:
> Here I am, replying to my own post again. What I said in the prior post
> wasn't entirely true. I realized that I used the wrong password in my prior
> attempt. I am still granted access to the SMTP service after authenticating
> in
On 12/3/16 1:48 AM, Viktor Dukhovni wrote:
On Dec 2, 2016, at 1:30 AM, @lbutlr wrote:
I have a bash script that does it, and when a user wants this, I simply set up
a crontab for them. Usually after a week or so they want it turned off. The
script sends them a lightly
On 12/2/16 12:16 PM, Wietse Venema wrote:
With 'no shared ciphers' happening frequently, do we want to set
up a TLS troubleshooting document, or is the decision tree too
complex for such a document to be useful?
Considering how often the question is asked, probably.
However, I think the error
On 12/2/16 4:32 PM, Petri Riihikallio wrote:
As long as saslauthd can bind against it like a regular Active Directory
(=LDAP) server, it should work without special configuration inside
postfix.
Does Azure AD support LDAP?
Yes.
On 12/2/16 2:34 PM, Michael Munger wrote:
Linux man page numbers.
The man page numbers have nothing to do with Linux.
Here I am, replying to my own post again. What I said in the prior post wasn't
entirely true. I realized that I used the wrong password in my prior attempt.
I am still granted access to the SMTP service after authenticating in plaintext
on port 25.
So I'm somewhat confused how to
I suspected that was a typo. I figured it out.
I made those changes, when I attempt an AUTH LOGIN, I get back "535 5.7.8
Error: authentication failed: UGFzc3dvcmQ6" which seems to be appropriate.
So the user is no longer rewarded with access to the SMTP services when they
attempt to connect
John Fawcett:
> On 12/03/2016 04:10 PM, Wietse Venema wrote:
> > rich.gre...@hushmail.com:
> >> There are ports that exist for encrypted transfer of this data
> >> (such as 465, 587). What is the current state of the art for
> >> preventing the user's client software from being able to do this
>
On 12/03/2016 04:10 PM, Wietse Venema wrote:
> rich.gre...@hushmail.com:
>> There are ports that exist for encrypted transfer of this data
>> (such as 465, 587). What is the current state of the art for
>> preventing the user's client software from being able to do this
>> (sending their
rich.gre...@hushmail.com:
> There are ports that exist for encrypted transfer of this data
> (such as 465, 587). What is the current state of the art for
> preventing the user's client software from being able to do this
> (sending their authentication details plaintext)? Is it safe to
> simply
Viktor Dukhovni:
>
> > On Dec 2, 2016, at 1:30 AM, @lbutlr wrote:
> >
> > I have a bash script that does it, and when a user wants this, I simply set
> > up a crontab for them. Usually after a week or so they want it turned off.
> > The script sends them a lightly styled
I love to go and see what I can get away with using telnet. I decided to send
and check email from the command line.
Since I consider my test location to be low risk, I decided to try to send my
password plaintext over port 25. I was a moderately surprised that it did
work, as seen below in
> On Dec 2, 2016, at 1:30 AM, @lbutlr wrote:
>
> I have a bash script that does it, and when a user wants this, I simply set
> up a crontab for them. Usually after a week or so they want it turned off.
> The script sends them a lightly styled HTML table in the email.
>
>
24 matches
Mail list logo