BUG REPORT
by Arman Ktk
Hello Team ,
I am an ethical hacker, bug bounty hunter and security researcher, I
identify bugs in websites and provide vulnerability assessment of the
identified issues.
I have found an email spoofing issue in your website which can allow anyone
to send emails from “emailhere” to any other users. Please find the details
of the bug below.
I am hoping to receive a bug bounty reward for the responsible disclosure
of this issue and hope to report further bugs once this is pursued and
remediated.
Vulnerability: No DMARC Record Found
I just sent a forged email to my email address that appears to originate
from “
press(a)lists.podman.io
. I was able to do this because of the following DMARC record:
;
DMARC record lookup and validation for:
lists.podman.io
"No DMARC Record found"
Description:
DMARC (Domain-based Message Authentication, Reporting and Conformance) is
an email authentication protocol. It is designed to give email domain
owners the ability to protect their domain from unauthorized use, commonly
known as email spoofing. The purpose and primary outcome of implementing
DMARC is to protect a domain from being used in business email compromise
attacks, phishing emails, email scams and other cyber threat activities.
DMARC Record contains the policy which determines how to handle
unauthenticated/forged emails. Its lack can allow attacker to abuse the
domain name.
Fix:
1)Publish DMARC Record.
2)Enable DMARC Quarantine/Reject policy
3)Your DMARC record should look like
;
"v=DMARC1; p=reject; pct=100; ri=86400; rua=mailto:
press(a)lists.podman.io
POC:
This can be done using any php mailer tool like this ,
<?php
$to = "VICTIM(a)example.com";
$subject = "Password Change";
$txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
$headers = "From: i;
press(a)lists.podman.io
";
mail($to,$subject,$txt,$headers);
?>
You can check your DMARC record form here : https://mxtoolbox.com/DMARC.aspx
References:
;1)
https://www.knownhost.com/wiki/email/troubleshooting/setting-up_spf-dkim-...
2)
https://blog.redsift.com/email/the-resurgence-of-email-marketing-how-to-r...
3) https://easydmarc.com/blog/how-to-fix-no-dmarc-record-found/
Impact:
This is useful in phishing. The attacker can send forged emails from your
domain granting him the ability to pose as the company’s official and send
scam emails to your website user asking them for money or credentials.
Let me know if you need furthermore assistance required, or if you have any
other questions.
Thanks,
Regards
ARMAN KTK
[image: image.png]
[image: image.png]
1 month, 1 week