HylaFAX The world's most advanced open source fax server

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [hylafax-users] Bug? in xferfaxlog!!!



Sa told earlier am I working out a likewise mechanism for our system. We don't
provide a 100% fax service because the the hazards/security risks as mentioned by
Lee. In stead I made it possible to send a fax via a form. Fill out the text in
your browser, push the send button, and of she goes...

Each fax destionation is represented by a mail address. This mail address is
forwarded to a fax number in a for the user unknown format. ie 12345678@whatever.
The fax to mail module trims this to 12345678.

To retrieve a list for this user could be done by grep 123456789 xferfaxlog >
log.txt. From here you can do whatever you want. Put it in a script, do a
text2html,... the sky is the limit :-)

Hope this tip is usefull.

Lee Howard wrote:

> At 12:39 PM 3/30/01 +0600, J.K.D.Ruwan Jayanetti wrote:
> >Hi,
> >
> >We're developing a billing system and web based access system for HylaFax.
> >We found out following problem in xferfaxlog.
> >
> >In this, the "sender" entry contains senders e-mail address. But not the
> >authenticated user name or id. So if someone send a fax putting some other
> >e-mail address as the notification e-mail, this e-mail address comes to
> >"sender" field. This is allowed when sending fax form a client through
> >hylafax protocol. At this situation there is a fax going out but the sender
> >is unidentifiable by the billing system as this log entry does not contain
> >authenticated user name or id. I think this is a BUG! and this field should
> >filled with user name or the user id. Or a new field should be added.
>
> You can't use the "sender" field as a reliable or secure submitter
> identification anyway, regardless of this being submitted by e-mail/faxmail
> or this being submitted by direct HylaFAX client communication.  Because
> you can spoof that "sender" field as much as you like... go ahead and play
> around with it more, and you'll see this.  "Sender" is merely whatever is
> in the sendfax -f option, for example, which is an entirely unrestricted
> field.
>
> If there is a problem, it is in your attempted use of the "sender" field as
> a secure method of identification.  Someone could log in using their own
> password and then use someone else's address in sendfax's -f field.
> Furthermore, you're mistaken if you believe that HylaFAX's faxmail is
> really in any way a secure method of fax submission.  Spoofing an e-mail
> address, or even an IP number is among the easiest tricks.
>
> Don't get me wrong, I think that the password-verification used by client
> applications like a remote sendfax, Cypheus, or WHFC is secure enough for
> most environments, but implementing faxmail is dangerous (I don't use
> faxmail, so maybe I'm off-base here) because you are required to add an
> e-mail address to etc/hosts.hfaxd and e-mail addresses can be easily spoofed.
>
> It's relatively easy to only allow certain people to use your fax service,
> but as for providing a means to securely log which faxusers sent which
> faxes, I'm not sure exactly how it can be done.  You need a logging
> mechanism that corresponds jobs with the faxuser that correlating with the
> faxpassword that was supplied.  I don't think HylaFAX has that feature yet,
> from what I can tell, it doesn't even log the logins into syslog.
>
> Bug?  Nah, it's simply a missing feature (or missing field as you noted),
> and a design weakness in the case of faxmail.
>
> Lee.
>
> ____________________ HylaFAX(tm) Users Mailing List _______________________
>  To unsub: mail -s unsubscribe hylafax-users-request@hylafax.org < /dev/null

Kind Regards,


Aasterud WebCom
Harry M. Aasterud      Tel.: +47 / 74 16 11 42
Utvik                  Faks: +47 / 74 16 11 43
NO-7730 Beitstad       http://www.aasterudweb.com
Norge - Norway

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
Aasterud WebCom for the presence of computer viruses.
**********************************************************************




____________________ HylaFAX(tm) Users Mailing List _______________________
 To unsub: mail -s unsubscribe hylafax-users-request@hylafax.org < /dev/null




Project hosted by iFAX Solutions