Code Monkey home page Code Monkey logo

forsaken-mail's Issues

存在xss漏洞

使用Gmail发送邮件内容为:

<script>alert(/xss/)</script>
<script>alert(/xss/)</script>
<script>alert(/xss/)</script>

会在forsaken-mail面板上执行JS代码。
eg:
image

会考虑修复吗?

怎么增加数据存储

可以增加数据存储吗。我自己用的,这个很简单又好用,但是消息我想存起来,保存一下注册的内容,以防查找,另外后面有邮件进入销毁的邮箱时,还能否收到信息?

一个漏洞: 需要屏蔽一些高权限的邮箱

forsaken-mail/modules/io.js

Lines 33 to 38 in a80cb6c

socket.on('set shortid', function(id) {
onlines.delete(socket.shortid);
socket.shortid = id;
onlines.set(socket.shortid, socket);
socket.emit('shortid', socket.shortid);
})

一个漏洞: 需要屏蔽一些高权限的邮箱, 如下:

  • admin@
  • administrator@
  • webmaster@
  • postmaster@
  • hostmaster@

根据 webtrust 标准, 屏蔽上述邮箱即可.

否则提供临时邮箱的域名, 会存在被冒签 SSL 的高危漏洞.

POC:
image

image

证书地址: https://crt.sh/?id=3842188133

此 SSL 未经过站长授权

bug:接收不到自动转发过来的邮件

发现个bug,望修复:
bug:接收不到”自动转发“和”来信分类“过来的邮件,测试了163邮箱和21.cn邮箱。
使用场景:自建用来接收转发过来的登录验证码。

向邮箱地址发送邮件后,docker容器报错退出

基本信息:
CentOS7
Docker version 1.13.1, build 7d71120/1.13.1

报错内容:

[root@warma forsaken-mail]# docker logs cb5673affa92
> [email protected] start
> node ./bin/www
warn: Python is not available. Dkim and spf checking is disabled.
warn: Either spamassassin or spamc are not available. Spam score computation is disabled.
info: Mailin Smtp server listening on port 25
(node:17) Warning: Accessing non-existent property 'padLevels' of module exports inside circular dependency
(Use `node --trace-warnings ...` to show where the warning was created)
/forsaken-mail/node_modules/smtp-server/lib/smtp-stream.js:38
    this.closed = false;
                ^
TypeError: Cannot set property closed of #<Writable> which has only a getter
    at new SMTPStream (/forsaken-mail/node_modules/smtp-server/lib/smtp-stream.js:38:17)
    at new SMTPConnection (/forsaken-mail/node_modules/smtp-server/lib/smtp-connection.js:54:20)
    at SMTPServer.connect (/forsaken-mail/node_modules/smtp-server/lib/smtp-server.js:95:22)
    at SMTPServer.<anonymous> (/forsaken-mail/node_modules/smtp-server/lib/smtp-server.js:84:14)
    at Server.emit (node:events:514:28)
    at TCP.onconnection (node:net:2157:8)
Node.js v20.9.0

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.