Vulnerability Report [Misconfigured Record dmarc]
111 views
Skip to first unread message
Maaz Anwer
Jan 27, 2023, 8:35:03 AM1/27/23
to sup...@opendap.org
Hi Team, I am an independent security researcher and I have found a bug in your website https://www.opendap.org/
The details of it are as follows:-
Description: this report is about a misconfigured dmarc record flag, which can be used for malicious purposes as it allows for fake mailing on behalf of respected organizations.
About the Issue:
As i seen the Dmarc and TXT record for
Description: this report is about a misconfigured dmarc record flag, which can be used for malicious purposes as it allows for fake mailing on behalf of respected organizations.
About the Issue:
As i seen the Dmarc and TXT record for
What's the issue:
As u can see in the article below the difference between soft-mail and fail you should be using fail, as Soft-mail allows anyone to send spoofed emails from your domains.
Attack Scenario: An attacker will send phishing mail or anything malicious mail
As u can see in the article below the difference between soft-mail and fail you should be using fail, as Soft-mail allows anyone to send spoofed emails from your domains.
Attack Scenario: An attacker will send phishing mail or anything malicious mail
even if the victim is aware of phishing attack , he will check the origin email which came from your genuine mail id
sup...@opendap.org
so he will think that it is genuine mail and get trapped by the attacker.
The attack can be done using any PHP mailer tool like this:-
<?php
$to = "VIC...@example.com";
$subject = "Password Change";
$txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
$headers = "From:
";mail($to,$subject,$txt,$headers);
?>
You can also check your DMARC record form:
so he will think that it is genuine mail and get trapped by the attacker.
The attack can be done using any PHP mailer tool like this:-
<?php
$to = "VIC...@example.com";
$subject = "Password Change";
$txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
$headers = "From:
";mail($to,$subject,$txt,$headers);
?>
You can also check your DMARC record form:
Maaz Anwer
Feb 13, 2023, 1:14:22 PM2/13/23
to sup...@opendap.org
Hi team,
It's been a few days since I have reported a bug to you. I hope you have gone through my report thoroughly and made the necessary changes that I have suggested. Kindly let me know what you have decided, I am expecting a bug bounty from you for reporting it ethically to you.
Best regards
Best regards
Maaz Anwer
Jun 12, 2023, 7:55:16 PM6/12/23
to sup...@opendap.org
Hello team,
In the past many websites have rewarded me for letting them know about this vulnerability because this is an impactful vulnerability. It will be justifiable if you reward me in any way either a cash reward, amazon gift voucher or a swag as a token of appreciation. Also, I've found more critical bugs too so if you're willing to make your website safer then please appreciate the ethical disclosure of this vulnerability so that I will surely report more to make your site more secure.
Best Regards
Maaz Anwer
Aug 22, 2023, 10:16:43 AM8/22/23
to sup...@opendap.org
Hello team,
Please don't let my efforts be wasted.
If you are not interested in giving a reward and to sort this issue out then please allow me to disclose it publicly in my blogs for educational purposes.
Best Regards
Please don't let my efforts be wasted.
If you are not interested in giving a reward and to sort this issue out then please allow me to disclose it publicly in my blogs for educational purposes.
Best Regards
Reply all
Reply to author
Forward
0 new messages