Re: PHP: Bypass safe_mode and inject ASCII control chars with mail()
From: Ulf Harnhammar (ulfh@update.uu.se)Date: 08/29/02
- Previous message: Aaron C. Newman: "Manipulating Microsoft SQL Server Using SQL Injection"
- In reply to: Wojciech Purczynski: "PHP: Bypass safe_mode and inject ASCII control chars with mail()"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 29 Aug 2002 00:05:43 +0200 (CEST) From: Ulf Harnhammar <ulfh@update.uu.se> To: isec@isec.pl, bugtraq@securityfocus.com
On Fri, 23 Aug 2002, Wojciech Purczynski wrote:
> Issue:
> ======
>
> Two vulnerabilities exists in mail() PHP function. The first one allows to
> execute any program/script bypassing safe_mode restriction, the second one
> may give an open-relay script if mail() function is not carefully used in
> PHP scripts.
[..]
> (2) Injecting ASCII control characters into mail() arguments
>
> Arbitrary ASCII control characters may be injected into string arguments
> of mail() function. If mail() arguments are takeon from user's input it
> may give the user ability to alter message content including mail
> headers.
>
> Example of such a vulnerability may be found on PHP.net site:
>
> (URL wrapped for readability)
> http://www.php.net/mailing-lists.php?
> maillist=your@email.com%0a&email=fake@from.net%0a
>
> PHP should do content filtering before creating message body sent
> with "sendmail -t" command.
It is hard for the PHP developers to do something about this CRLF
Injection issue, as this function's interface is badly designed.
mail() has got an optional fourth parameter, string additional_headers,
where all the other headers apart from "To:" and "Subject:" go. Lots of
PHP scripts use it to set "From:" and "Reply-To:" headers, by giving
additional_headers a value like "From: $from\nReply-To: $from\n".
"X-Mailer: my program name/0.0". If $from has got the value
"ulf\nX-Header-1: test", you end up with
"From: ulf\nX-Header-1: test\nReply-To: ulf\nX-Header-1: test\nX-Mailer: my
program name/0.0". (See my earlier Bugtraq post, "Geeklog XSS and CRLF
Injection", for a real-life example.)
If additional_headers had been an array instead of a string, the PHP
developers could have filtered out all occurences of CR or LF characters
in each array element. As it is in fact a string, lots and lots of scripts
that use variables defined by the user without filtering are vulnerable to
all kinds of CRLF Injection issues while sending e-mail.
// Ulf Harnhammar
ulfh@update.uu.se
http://www.metaur.nu/
- Previous message: Aaron C. Newman: "Manipulating Microsoft SQL Server Using SQL Injection"
- In reply to: Wojciech Purczynski: "PHP: Bypass safe_mode and inject ASCII control chars with mail()"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
