Vulnerability Report (DMARC RECORD)
Nicolás Alvarez
nicolas.alvarez at gmail.com
Fri Mar 19 22:27:53 GMT 2021
To contact admins privately you can use sysadmin at kde.org (kde-www is a
public mailing list).
Note that we don't have a bounty program so don't expect money out of it.
--
Nicolás
El vie, 19 de mar. de 2021 a la(s) 19:23, M.Arslan Kabeer
(arslan.whitehat at inbox.eu) escribió:
>
> Hi there,
> Okay I Have found another vulnerability in your site kindly tell me where should I report? Should I report it in this thread or create a new one?
> Waiting for your response
> Always Best Regards
> White HaT
> ----- Reply to message -----
> Subject: Re: Vulnerability Report (DMARC RECORD)
> Date: Fri, 19 Mar 2021, 11:43
> From: Ben Cooksley <bcooksley at kde.org>
> To: kde-www <kde-www at kde.org>
>
> On Fri, Mar 19, 2021 at 5:31 AM <arslan.whitehat at inbox.eu> wrote:
>
> Hello Team,
>
>
> Hi Arslan,
>
>
>
> I am a security researcher and I founded this vulnerability.
> I just sent a forged email to my email address that appears to originate from kde-www at kde.org. I was able to do this because of the following DMARC record:
>
> DMARC record lookup and validation for: kde.org
> " No DMARC Record found "
>
> How To Reproduce(POC-ATTACHED IMAGE):-
> 1.Go To- mxtoolbox.com/DMARC.aspx
> 2.Enter the Website.CLICK GO.
> 3.You Will See the fault(DMARC Quarantine/Reject policy not enabled)
>
> Fix:
> 1)Publish DMARC Record.
> 2)Enable DMARC Quarantine/Reject policy
> 3)Your DMARC record should look like
> "v=DMARC1; p=reject; sp=none; pct=100; ri=86400; rua=mailto:info at domain.com"
>
> For more information you can use this blog
> (https://sendgrid.com/blog/what-is-dmarc/).
>
> <?php
> $to = "VICTIM at example.com";
> $subject = "Password Change";
> $txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
> $headers = "From:kde-www at kde.org";
> mail($to,$subject,$txt,$headers);
>
> ?>
>
> Reference : https://www.knownhost.com/wiki/email/troubleshooting/setting-up_spf-dkim-dmarc_records
>
>
> Let me know if you need me to send another forged email, or if have any other questions.
>
>
> Thanks for getting in touch with us regarding this.
>
> In this instance, we are well aware of the lack of a DMARC record.
> At this time it is an intentional omission on our part, due to various processes and workflows we have which are incompatible with DMARC.
>
>
>
>
> Hoping for the bounty for my ethical Disclosure.
> Best Regards
> Security Researcher
>
>
> Regards,
> Ben Cooksley
> KDE Sysadmin
More information about the kde-www
mailing list