Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #11236 Abuse user mailboxes to prove ownership of the domain used by a Tuleap instance
    Actions
    Infos
    #11236
    Thomas Gerbet (tgerbet)
    2018-05-25 16:10
    2018-03-05 11:50
    11566
    Details
    Abuse user mailboxes to prove ownership of the domain used by a Tuleap instance

    Tuleap creates a mailbox for each user with a format like <tuleap_username>@<domain_name> and redirect all the emails from this mailbox to the email defined by the user. This behavior can be abused by an evil user.

    Impact

    Impacts can be diverse and depend on the context in which the Tuleap instance is used.
    An attacker could use this to help phishing campaigns by, for example, registering users like abuse, noreply or support.
    An attacker can also use this to prove domain ownership and be able to get a certificate for the domain signed by a trusted CA. Domain control validation can be done over email [0].

    CVSSv3 score: 9.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N)

    References

    [0] CA/Browser Forum Baseline Requirements section 3.2.2.4.4 [PDF]
    CWE-16

    Other
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2018-03-05
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #10994 Tuleap Releases 9.19 Delivered 2018-04-04 14:53 Manuel Vacelet (vaceletm)
    Empty
    References
    Referencing request #11236

    Artifact Tracker v5

    rel #11242 10.1
    request #11526 Remove completely the user mailboxes feature

    Git commit

    tuleap/tuleap/stable

    Merge commit 'refs/changes/35/10735/4' of ssh://gerrit.tuleap.net:29418/tuleap 82c486efca
    User avatar Manuel Vacelet (vaceletm) , 2018-03-05 17:04
    request #11236: Abuse user mailboxes to prove ownership of the domain used by a Tuleap instance c7795ff5ae
    User avatar Thomas Gerbet (tgerbet) , 2018-03-05 14:59
    Referenced by request #11236

    Artifact Tracker v5

    rel #10994 9.19

    Other

    gerrit #11236
    Display settings

    Follow-ups

    User avatar
    Manuel Vacelet (vaceletm)2018-03-05 17:06

    Integrated in 9.18.99.8

    • Status changed from Under review to Closed
    • Connected artifacts
    • Close date set to 2018-03-05