I have a task to setup a MailHog script on our VPS but also they asked me about security about this script, but i don't have an experience about security stuff.
this is the script github account: https://github.com/mailhog/MailHog
also i have checked their security page on github.com but there is no security issues: https://github.com/mailhog/MailHog/security/advisories
CodePudding user response:
after i pentesting the script i have found two vulnerabilities
- SMTP injection
- Memory Leak leads to Denial for service .
these vulnerabilities occur due to defaults settings .
CodePudding user response:
To answer this question you can do two things:
- Look on the history of MailHog. Did it have any known vulnerabilities already? What was their severity? How long did it take for the vulnerabilities to be fixed? You can start with the CVE list (nope, nothing here), but you should also google a bit. Looking into security issues on github was a good idea.
- Do a security evaluation yourself. Most of the stuff seems to have been written in golang. Maybe search for a tool for static code analysis (SAST) and run it over. Read the code. Understand it. Verify it. Doing security evaluations is an expensive thing that requires deep technical knowledge. Usually this is not done for fun.
Usually checking point 1 and also gathering some projects meta-data (how old is the code base, is it maintained, are the bugs resolved, are people using the software at all, ...) should be enough to make the initial security assessment. If someone needs to be more sure than that, they need to pay for point 2.