Email exploitation with web hosting services.

Exploitation steps: ------------------------------------- You must upload the PHP file to the public HTML. I created this PHP code for testing. And I uploaded it. Must check the permissions are checked. Basically, I can send emails to anyone using your organisation email list. I can also send emails to your organisation people. Most of the company are secure with this vulnerability. You will find those emails in the primary section/ in the promotions section. Please Carefully do everything it will happen must be. Exploit code: --------------------- <?php $to = "█████"; $subject = "Email exploitation test"; $txt = "Email exploitation test"; $headers = "From: ███████"; mail($to,$subject,$txt,$headers); ?> ## Impact A short explanation of why all organisations believe this is a technical security vulnerability. -------------------------------------------------------------------------------------------- When I visited this domain [ https://█████████/ ] I found different types of emails from snov.io. And there are a lot of emails that are internal information about your organisation. That should not be known to the public. An attacker can copy those emails and then they can do email spoofing or email bombing with those emails. If an attacker can use those emails he/she then can send messages, not from your organisation. He or she can write bad messages or wrong messages or false messages or scam messages to those victims. They can make a reputation loss. They can send harmful news/false news/malicious files. They can do phishing attacks and steal the internal information of your organisation. Sometimes it may occur different types of account hacks. ## System Host(s) ███████ ## Affected Product(s) and Version(s) ## CVE Numbers ## Steps to Reproduce You must upload the PHP file to the public HTML. I created this PHP code for testing. And I uploaded it. Must check the permissions are checked. Basically, I can send emails to anyone using your organisation email list. I can also send emails to your organisation people. Most of the company are secure with this vulnerability. You will find those emails in the primary section/ in the promotions section. Please Carefully do everything it will happen must be. ## Suggested Mitigation/Remediation Actions