Hi Team, I am an independent security researcher and I have found a bug in your website
https://www.debian.org/
The details of it are as follows:-
Description: this report is about a misconfigured dmarc record flag, which
can be used for malicious purposes as it allows for fake mailing on behalf
of respected organizations.
About the Issue:
As i seen the Dmarc and TXT record for
debian.org/ <
https://www.debian.org/>
What's the issue:
As u can see in the article below the difference between soft-mail and fail
you should be using fail, as Soft-mail allows anyone to send spoofed emails from your domains.
Attack Scenario: An attacker will send phishing mail or anything malicious
mail
debian-project@lists.debian.org
even if the victim is aware of phishing attack , he will check the origin
email which came from your genuine mail id
debian-project@lists.debian.org
so he will think that it is genuine mail and get trapped by the attacker.
The attack can be done using any PHP mailer tool like this:-
<?php
$to = "
VICTIM@example.com";
$subject = "Password Change";
$txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
$headers = "From:
debian-project@lists.debian.org
";mail($to,$subject,$txt,$headers);
U can also check your DMARC record form:
https://mxtoolbox.com/SuperTool.aspx
Waiting for your reply.
*Regards,*
*ALI AZHAR*
<div dir="ltr"> Hi Team, I am an independent security researcher and I have found a bug in your website <a href="
https://www.debian.org/" target="_blank">
https://www.debian.org/</a><div>The details of it are as follows:-<br><br>Description: this report
is about a misconfigured dmarc record flag, which can be used for malicious purposes as it allows for fake mailing on behalf of respected organizations.<br><br>About the Issue:<br>As i seen the Dmarc and TXT record for <div><table cellpadding="0"
style="border-collapse:collapse;margin-top:0px;width:auto;font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:14px;letter-spacing:0.2px;display:block"><tbody style="display:block"><tr style="height:auto;display:flex"><td style="text-align:
right;white-space:nowrap;vertical-align:top;display:block;max-height:20px"><div style="padding:0px;display:flex"></div></td><td style="white-space:nowrap;padding:0px;vertical-align:top;width:645.828px;line-height:20px;display:block;max-height:20px"><
table cellpadding="0" style="border-collapse:collapse;margin-top:0px;width:auto;letter-spacing:0.2px;display:block;white-space:normal"><tbody style="display:block"><tr style="height:auto;display:flex"><td style="text-align:right;white-space:nowrap;
vertical-align:top;display:block;max-height:20px"><div style="padding:0px;display:flex"></div></td><td style="white-space:nowrap;padding:0px;vertical-align:top;width:645.828px;line-height:20px;display:block;max-height:20px"><table cellpadding="0" style="
border-collapse:collapse;margin-top:0px;width:auto;letter-spacing:0.2px;display:block;white-space:normal"><tbody style="display:block"><tr style="height:auto;display:flex"><td style="text-align:right;white-space:nowrap;vertical-align:top;display:block;
max-height:20px"><div style="padding:0px;display:flex"></div></td></tr></tbody></table></td></tr></tbody></table><a href="
https://www.debian.org/" target="_blank">debian.org/</a><br></td></tr></tbody></table><h3 style="overflow:hidden;white-space:nowrap;
font-size:0.75rem;font-weight:inherit;margin:inherit;text-overflow:ellipsis;font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;letter-spacing:0.3px;line-height:20px;color:rgb(95,99,104)"><br><table cellpadding="0" style="border-collapse:collapse;
margin-top:0px;width:auto;font-size:14px;letter-spacing:0.2px;display:block;white-space:normal;color:rgb(34,34,34)"><tbody style="display:block"><tr style="height:auto;display:flex"><td style="text-align:right;white-space:nowrap;vertical-align:top;
display:block;max-height:20px"><div style="padding:0px;display:flex"></div></td><td style="white-space:nowrap;padding:0px;vertical-align:top;width:645.828px;line-height:20px;display:block;max-height:20px"><table cellpadding="0" style="border-collapse:
collapse;table-layout:fixed;width:645px"></table></td></tr></tbody></table></h3></div><div><div>What's the issue:<br>As u can see in the article below the difference between soft-mail and fail you should be using fail, as Soft-mail allows anyone to
send spoofed emails from your domains.<br> <br>Attack Scenario: An attacker will send phishing mail or anything malicious mail </div><div><a href="mailto:
debian-project@lists.debian.org" target="_blank">
debian-project@lists.debian.org</a><br><table
cellpadding="0" style="border-collapse:collapse;margin-top:0px;width:auto;font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:14px;letter-spacing:0.2px;display:block"><tbody style="display:block"><tr style="height:auto;display:flex"><td
style="white-space:nowrap;padding:0px;vertical-align:top;width:645.828px;line-height:20px;display:block;max-height:20px"><table cellpadding="0" style="border-collapse:collapse;margin-top:0px;width:auto;letter-spacing:0.2px;display:block;white-space:
normal"><tbody style="display:block"><tr style="height:auto;display:flex"><td style="white-space:nowrap;padding:0px;vertical-align:top;width:638.969px;line-height:20px;display:block;max-height:20px"><table cellpadding="0" style="border-collapse:collapse;
margin-top:0px;width:auto;letter-spacing:0.2px;display:block;white-space:normal"><tbody style="display:block"><tr style="height:auto;display:flex"><td style="white-space:nowrap;padding:0px;vertical-align:top;width:645.828px;line-height:20px;display:block;
max-height:20px"><table cellpadding="0" style="border-collapse:collapse;margin-top:0px;width:auto;letter-spacing:0.2px;display:block;white-space:normal"><tbody style="display:block"><tr style="height:auto;display:flex"><td style="white-space:nowrap;
padding:0px;vertical-align:top;width:645.828px;line-height:20px;display:block;max-height:20px"><table cellpadding="0" style="border-collapse:collapse;margin-top:0px;width:auto;letter-spacing:0.2px;display:block;white-space:normal"><tbody style="display:
block"><tr style="height:auto;display:flex"><td style="white-space:nowrap;padding:0px;vertical-align:top;width:645.828px;line-height:20px;display:block;max-height:20px"><table cellpadding="0" style="border-collapse:collapse;margin-top:0px;width:auto;
letter-spacing:0.2px;display:block;white-space:normal"><tbody style="display:block"><tr style="height:auto;display:flex"><td style="white-space:nowrap;padding:0px;vertical-align:top;width:645.828px;line-height:20px;display:block;max-height:20px"><table
cellpadding="0" style="border-collapse:collapse;margin-top:0px;width:auto;letter-spacing:0.2px;display:block"><tbody style="display:block"></tbody></table><br></td><td style="white-space:nowrap;padding:0px;vertical-align:top;width:638.969px;line-height:
20px;display:block;max-height:20px"><br></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table><table cellpadding="0" style="border-collapse:collapse;
margin-top:0px;width:auto;font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:14px;letter-spacing:0.2px;display:block"><tbody style="display:block"><tr style="height:auto;display:flex"><td style="text-align:right;white-space:nowrap;
vertical-align:top;display:block;max-height:20px"><div style="padding:0px;display:flex"></div></td></tr></tbody></table><br></div><div>even if the victim is aware of phishing attack , he will check the origin email which came from your genuine mail id </
<div><a href="mailto:debian-project@lists.debian.org" target="_blank">debian-project@lists.debian.org</a><br><table cellpadding="0" style="border-collapse:collapse;margin-top:0px;width:auto;font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;
font-size:14px;letter-spacing:0.2px;display:block"><tbody style="display:block"><tr style="height:auto;display:flex"><td style="white-space:nowrap;padding:0px;vertical-align:top;width:645.828px;line-height:20px;display:block;max-height:20px"><br><br></td>
</tr></tbody></table><br><br>so he will think that it is genuine mail and get trapped by the attacker.<br>The attack can be done using any PHP mailer tool like this:-<br><br><?php<br>$to = "<a href="mailto:
VICTIM@example.com" target="_blank">
VICTIM@example.com</a>";<br>$subject = "Password Change";<br>$txt = "Change your password by visiting here - [VIRUS LINK HERE]l";<br>$headers = "From: <table cellpadding="0" style="border-collapse:collapse;margin-top:0px;
width:auto;font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:14px;letter-spacing:0.2px;display:block"><tbody style="display:block"><tr style="height:auto;display:flex"><td style="text-align:right;white-space:nowrap;vertical-align:top;
display:block;max-height:20px"><div style="padding:0px;display:flex"></div></td><td style="white-space:nowrap;padding:0px;vertical-align:top;width:645.828px;line-height:20px;display:block;max-height:20px"><table cellpadding="0" style="border-collapse:
collapse;margin-top:0px;width:auto;letter-spacing:0.2px;display:block;white-space:normal"><tbody style="display:block"><tr style="height:auto;display:flex"><td style="text-align:right;white-space:nowrap;vertical-align:top;display:block;max-height:20px"><
div style="padding:0px;display:flex"></div></td><td style="white-space:nowrap;padding:0px;vertical-align:top;width:645.828px;line-height:20px;display:block;max-height:20px"><div style="padding:0px;display:flex"></div><table cellpadding="0" style="border-
collapse:collapse;margin-top:0px;width:auto;letter-spacing:0.2px;display:block;white-space:normal"><tbody style="display:block"><tr style="height:auto;display:flex"><td style="text-align:right;white-space:nowrap;vertical-align:top;display:block;max-
height:20px"><div style="padding:0px;display:flex"></div></td><td style="white-space:nowrap;padding:0px;vertical-align:top;width:638.969px;line-height:20px;display:block;max-height:20px"><table cellpadding="0" style="border-collapse:collapse;margin-top:
0px;width:auto;letter-spacing:0.2px;display:block;white-space:normal"><tbody style="display:block"><tr style="height:auto;display:flex"><td style="text-align:right;white-space:nowrap;vertical-align:top;display:block;max-height:20px"><div style="padding:
0px;display:flex"></div></td><td style="white-space:nowrap;padding:0px;vertical-align:top;width:645.828px;line-height:20px;display:block;max-height:20px"><table cellpadding="0" style="border-collapse:collapse;margin-top:0px;width:auto;letter-spacing:0.
2px;display:block;white-space:normal"><tbody style="display:block"><tr style="height:auto;display:flex"><td style="text-align:right;white-space:nowrap;vertical-align:top;display:block;max-height:20px"><div style="padding:0px;display:flex"></div></td><td
style="white-space:nowrap;padding:0px;vertical-align:top;width:645.828px;line-height:20px;display:block;max-height:20px"><table cellpadding="0" style="border-collapse:collapse;margin-top:0px;width:auto;letter-spacing:0.2px;display:block;white-space:
normal"><tbody style="display:block"><tr style="height:auto;display:flex"><td style="text-align:right;white-space:nowrap;vertical-align:top;display:block;max-height:20px"><div style="padding:0px;display:flex"></div></td><td style="white-space:nowrap;
padding:0px;vertical-align:top;width:645.828px;line-height:20px;display:block;max-height:20px"><table cellpadding="0" style="border-collapse:collapse;margin-top:0px;width:auto;letter-spacing:0.2px;display:block;white-space:normal"><tbody style="display:
block"><tr style="height:auto;display:flex"><td style="text-align:right;white-space:nowrap;vertical-align:top;display:block;max-height:20px"><div style="padding:0px;display:flex"></div></td></tr></tbody></table></td></tr></tbody></table><a href="mailto:
debian-project@lists.debian.org" target="_blank">
debian-project@lists.debian.org</a><br></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table><br>";mail($to,$subject,$txt,$
headers);<br>?><br><br>U can also check your DMARC record form: </div><div><a href="
https://mxtoolbox.com/SuperTool.aspx" target="_blank">
https://mxtoolbox.com/SuperTool.aspx</a><br><br><br><br><div><div><div dir="ltr" style="margin:0px"><div><div
style="margin:0px"><div style="margin:0px"><font face="Cambria,Georgia,serif" style="font-family:Cambria,Georgia,serif;color:rgb(0,0,0)"><span style="font-size:14.67px;margin:0px"><span style="margin:0px">Waiting for your reply.<br></span></span></font></
</div></div><b>Regards,</b></div></div></div><div style="margin:0px"><b>ALI AZHAR</b></div></div></div></div><div style="margin:0px"><b><br></b></div><span id="gmail-docs-internal-guid-11316ea1-7fff-403e-f287-fdb446f0f006"><span style="font-size:11pt;
font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><span style="border:none;display:inline-block;overflow:hidden;width:602px;height:
368px"><img src="
https://lh6.googleusercontent.com/9WFvdGNdqqqw6xphngA4jh3RGoxqyYSYXZqVbTxpzcvS3CQkPWrxSj6lZU05O0tIisMYPkMSlULZJIMWPljwq6iTOp8RxCjua-RqSx-yIrKTxjr5yJso8YMWzOJL_MBI20SnVZgbzyOBTx__tuiAQBnG53N4qO2fSBNzXUIo2mrYjohZwBNODBxqi6v_Sg" width="602"
height="368" style="margin-left: 0px; margin-top: 0px;"></span></span></span><br class="gmail-Apple-interchange-newline"><div><span id="gmail-docs-internal-guid-2feb9d90-7fff-49c0-dfc7-1a360e841f3d"><span style="font-size:11pt;font-family:Arial;color:rgb(
0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><span style="border:none;display:inline-block;overflow:hidden;width:602px;height:361px"><img src="
https://lh4.
googleusercontent.com/ikd0PTnfbido1A7fjgY2HbqqQI0zJJrJCG5Jp6t3Qd3SEGkQKVPCKzDsiGmFmFf_m-nLHm5JA51pdiNGs746THw2uTHr1KV7G144oksJ86ScD7yhzGpo64dULad2yDL4p37TifsvB99gttUoR6LLAgehfQTkrpyyfWKFsRkZit9kAk5lrhGpdd28t8FSHQ" width="602" height="361" style="margin-
left: 0px; margin-top: 0px;"></span></span></span> <span><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-
wrap"><span style="border:none;display:inline-block;overflow:hidden;width:602px;height:368px"><br></span></span></span></div></div>
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)