Re: [hylafax-users] Bug? in xferfaxlog!!!

[Lee Howard <faxguy@deanox.com>]

At 12:39 PM 3/30/01 +0600, J.K.D.Ruwan Jayanetti wrote:
>Hi,
>
>We're developing a billing system and web based access system for HylaFax. 
>We found out following problem in xferfaxlog.
>
>In this, the "sender" entry contains senders e-mail address. But not the 
>authenticated user name or id. So if someone send a fax putting some other 
>e-mail address as the notification e-mail, this e-mail address comes to 
>"sender" field. This is allowed when sending fax form a client through 
>hylafax protocol. At this situation there is a fax going out but the sender 
>is unidentifiable by the billing system as this log entry does not contain 
>authenticated user name or id. I think this is a BUG! and this field should 
>filled with user name or the user id. Or a new field should be added.

You can't use the "sender" field as a reliable or secure submitter
identification anyway, regardless of this being submitted by e-mail/faxmail
or this being submitted by direct HylaFAX client communication.  Because
you can spoof that "sender" field as much as you like... go ahead and play
around with it more, and you'll see this.  "Sender" is merely whatever is
in the sendfax -f option, for example, which is an entirely unrestricted
field.

If there is a problem, it is in your attempted use of the "sender" field as
a secure method of identification.  Someone could log in using their own
password and then use someone else's address in sendfax's -f field.
Furthermore, you're mistaken if you believe that HylaFAX's faxmail is
really in any way a secure method of fax submission.  Spoofing an e-mail
address, or even an IP number is among the easiest tricks.

Don't get me wrong, I think that the password-verification used by client
applications like a remote sendfax, Cypheus, or WHFC is secure enough for
most environments, but implementing faxmail is dangerous (I don't use
faxmail, so maybe I'm off-base here) because you are required to add an
e-mail address to etc/hosts.hfaxd and e-mail addresses can be easily spoofed.

It's relatively easy to only allow certain people to use your fax service,
but as for providing a means to securely log which faxusers sent which
faxes, I'm not sure exactly how it can be done.  You need a logging
mechanism that corresponds jobs with the faxuser that correlating with the
faxpassword that was supplied.  I don't think HylaFAX has that feature yet,
from what I can tell, it doesn't even log the logins into syslog.

Bug?  Nah, it's simply a missing feature (or missing field as you noted),
and a design weakness in the case of faxmail.

Lee.




____________________ HylaFAX(tm) Users Mailing List _______________________
 To unsub: mail -s unsubscribe hylafax-users-request@hylafax.org < /dev/null