*Hi There Team,* *Hope you are doing well,* Kindly update me regarding this vulnerability and I am hoping for a bug bounty from you for sending this vulnerability ethically to you.
*Best,* On Sat, Jun 10, 2023 at 12:37 AM Muhammad Umar <jinmayhem.resea...@gmail.com> wrote: > I am a security researcher and I have found this vulnerability on your > website https://www.haproxy.org/ . > > Description : > > This report is about a misconfigured spf record flag , which can be used > to abuse the organization by posing the identity , which allows for fake > mailing on behalf of respected organizations . > > About the Issue : > > as i seen the SPF and TXT record for the haproxy.org which is : > > v=spf1 mx ~all > > > as u can see the symbol at last which Tilde (~all) is the issue , which > should be replaced by Hyphen (-all) symbol . > > so valid record will be look like : > > v=spf1 mx -all > > What's the issue : > > As you can see in the article difference between Softmail and fail you > should be using fail as Softmail allows anyone to send spoofed emails from > your domains. > > In the current SPF record you should replace ~ with - at last before all , > - is strict which prevents all spoofed emails except if you are sending . > > Attack Scenario : > > an attacker will send phishing mail or anything malicious mail to the > victim via mail : haproxy@formilux.org , even if the victim is aware of > a phishing attack , he will check the Origin email which will be > haproxy@formilux.org , so he will be sure that its not fake mail and get > trapped by attacker ! > > This can be done using any php mailer tool like this , > > <?php > > $to = "vic...@example.com"; > > $subject = "Password Change"; > > $txt = "Change your password by visiting here - [VIRUS LINK HERE]l"; > > $headers = "From: haproxy@formilux.org "; > > mail($to,$subject,$txt,$headers); > > ?> > > *Regards,* > *Muhammad Umar* > [image: image.png][image: image.png] > > >
