Pieterpost - access to "vitual" account

Type securityvulns
Reporter Securityvulns
Modified 2003-12-02T00:00:00


Hello bugtraq readers and writers !

name: PieterPost 0.10.6 homepage: http://todsah.nihilist.nl/index.php?p=Development/Projects/Pieterpost about: "PieterPost is a webbased interface to a pop3 mailbox. It is designed to be both small and easy to use"

what: entering url http://server.com/pp.php?action=login anyone can get access to "virtual" account.

I don't think that can be a big vuln, but at this moment anyone can send spam from such server and fake e-mail's. This work only with default configuration (localhost as pop3 server) and weak MTA agent - posible to change From header sending from localhost.