Skip to main content

Vulnerability Notification about Email Auto-configuration

Comments

6 comments

  • cPRex Jurassic Moderator

    Hey there!  This sounds like a scam to me - all cPanel services are secured by default, and there are always secure options to connect to email and https.

    1
  • Cwarrent

    Thank you!

    My assumption would be that all standard protocols and services offered as part of cPanel would be fully secure so not sure if this is a rather technical way to present opening contact for someone phishing or spamming.

    0
  • Ruiz

    Hi there,

    I received the same e-mail, and I also think it is legit because the sender didn't ask us for anything. Digging a bit into the issue, I confirmed that autodiscover is accessible without SSL:
    http://autodiscover.mydomain.com/autodiscover/autodiscover.xml?email=myemail@mydomain.com

    The only sensitive information here is the e-mail address that could be captured. I'm not sure if some e-mail client also send other data to this url.

    1
  • Cwarrent

    Yes Ruiz, the way in that the email was worded and presented seemed like advice and not in any way an action to do anything.

    Rex may be able to feedback on the ramifications or if this needs looking at any further. I can appreciate it's a low priority issue to the best of my knowledge.

    0
  • cPRex Jurassic Moderator

    No, there isn't anything you need to do on the server for this message.  Look at it this way - why would a random researcher from China contact you?  Does that seem legit?

    0
  • Cwarrent

    I mean, no BUT I deal with 10's of emails sent to me from clients every week and there's loads of clues as to why they are not to be trusted.  This one though struck me differently, also like how Ruiz said.

    More importantly if there's no harm that can be done for what they're saying (the URL being accessible from HTTP) then we can ignore this.  I lean on your knowledge and expertise.

    0

Please sign in to leave a comment.