[ipac] Exploit of horizon email capability
Rosa, Lucille, CIV, NAVWARCOL
lucille.rosa at nwc.navy.mil
Wed Dec 27 08:34:13 EST 2006
Does the version of HIP matter?
Lucille M. Rosa
Head, Technical Services Div.
Naval War College Library
686 Cushing Rd.
Newport, RI 02841
401-841-6492
DSN: 948-6492
FAX: 401-841-6562
-----Original Message-----
From: ipac-bounces at lists.tblc.org [mailto:ipac-bounces at lists.tblc.org] On
Behalf Of Greg Barniskis
Sent: Tuesday, December 26, 2006 4:47 PM
To: Dynix's Horizon Information Portal,formerly iPac (discussion)
Subject: Re: [ipac] Exploit of horizon email capability
Tyckoson, Mary Ellen wrote:
> Has anyone else experienced what seems to be a scripted use of the
> email a bib capability in HIP to launch an attack? We suddenly got
> around 70 automated replies from the letters address for the
> Washington Post that appear to respond to a handful of bibs sent over
> and over again from HIP to that address.
>
> We've had some cases where spammer seems to search out comment forms
> on our Web site and submit them with typical spam junk via some
> automated means. Annoying to the person how has to read the comments
> mailbox, but that's all. This latest seems to be using HIP's mail
> sending capability to target a specific mailbox - at least that was my
> take given that it was the Washington Post.
I don't think we've seen this here yet, but your guess is a good one.
Spamming is a now a multi-billion dollar industry and there are many people
"working" full time searching out and testing web servers that have a
messaging capability, just to see if and how they might be exploited.
The ability of HIP to send messages to an arbitrary destination needs to be
seriously examined. All "email this" features should probably require the
patron to log in and then automatically use the email address on their
patron record rather than allowing the user to input arbitrary data.
Otherwise, whether these forms are truly exploitable or not you can bet that
attempts to exploit them will increase in frequency and never cease.
--
Greg Barniskis, Computer Systems Integrator South Central Library System
(SCLS) Library Interchange Network (LINK) <gregb at scls.lib.wi.us>, (608)
266-6348 _______________________________________________
ipac mailing list
ipac at lists.tblc.org
http://lists.tblc.org/mailman/listinfo/ipac
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4969 bytes
Desc: not available
Url : http://lists.tblc.org/pipermail/ipac/attachments/20061227/ee278f90/attachment.bin
More information about the ipac
mailing list