Apache OpenOffice (AOO) Bugzilla – Issue 127360
DMARC Security Missing in your domain
Last modified: 2017-03-16 20:49:29 UTC
Created attachment 85985 [details] DMARC Security Missing in your domain Sir, we found DMARC Security Missing in your domain Description and Impact We found that your domain is vulnerable to Malware Injection as the fake mail headers are not blocked. We tried to send a fake mail through open smtp and found the mail reaching our server. any attacker can take advantage of this situation and inject advance attack vector into the client side using trust of your domain Reproduction Instructions/Proof of Concept Here are the steps to reproduce: We created a test bed of vul link and bound to a local website using BeEF Framework (The Browser Exploitation Framework). Details of Framework and working can be found on http://beefproject.com/ So a testbed of http://malware.localhost/ link was created using the above step. Then an open SMTP server was used, there are many that can be found let's say or https://emkei.cz/ or https://anonymousemail.me/ Then a trusted mail from your domain was sent to one of our team members. Due to Missing Fake Header Checks, the Mail shipped directly to our inbox. I am attaching a simple POC along this form to make it more clear. This is a serious flaw and has been handled by many companies using Domain-based Message Authentication, Reporting and Conformance (DMARC). For eg: If you try to send a fake mail using facebook domain like admin@facebook.com it will not be delivered to the inbox of any client for any public mail like yahoo, Gmail, and outlook. But the same is happening in your domain. Please path this flaw, in case you need any further info you can revert me back. Regards, Sadik Shaikh
This is a bug tracking system for OpenOffice app. Domain is managed by Apache Foundation. Please contact directly infra team at: infrastructure [at] apache [dot] org