Vulnerability Report (DMARC RECORD)
Ben Cooksley
bcooksley at kde.org
Fri Mar 19 09:43:18 GMT 2021
On Fri, Mar 19, 2021 at 5:31 AM <arslan.whitehat at inbox.eu> wrote:
> Hello Team,
Hi Arslan,
>
> I am a security researcher and I founded this vulnerability.
> I just sent a forged email to my email address that appears to originate
> from kde-www at kde.org. I was able to do this because of the following
> DMARC record:
>
> DMARC record lookup and validation for: kde.org
> " No DMARC Record found "
>
> How To Reproduce(POC-ATTACHED IMAGE):-
> 1.Go To- mxtoolbox.com/DMARC.aspx
> 2.Enter the Website.CLICK GO.
> 3.You Will See the fault(DMARC Quarantine/Reject policy not enabled)
>
> Fix:
> 1)Publish DMARC Record.
> 2)Enable DMARC Quarantine/Reject policy
> 3)Your DMARC record should look like
> "v=DMARC1; p=reject; sp=none; pct=100; ri=86400; rua=mailto:
> info at domain.com"
>
> For more information you can use this blog
> (https://sendgrid.com/blog/what-is-dmarc/).
>
> <?php
> $to = "VICTIM at example.com";
> $subject = "Password Change";
> $txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
> $headers = "From:kde-www at kde.org";
> mail($to,$subject,$txt,$headers);
>
> ?>
>
> Reference :
> https://www.knownhost.com/wiki/email/troubleshooting/setting-up_spf-dkim-dmarc_records
>
>
> Let me know if you need me to send another forged email, or if have any
> other questions.
>
Thanks for getting in touch with us regarding this.
In this instance, we are well aware of the lack of a DMARC record.
At this time it is an intentional omission on our part, due to various
processes and workflows we have which are incompatible with DMARC.
>
> Hoping for the bounty for my ethical Disclosure.
> Best Regards
> Security Researcher
Regards,
Ben Cooksley
KDE Sysadmin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-www/attachments/20210319/4ec430f5/attachment.htm>
More information about the kde-www
mailing list