Bugtraq mailing list archives

Re: PHP: Bypass safe_mode and inject ASCII control chars with mail()

From: Ulf Harnhammar <ulfh () update uu se>
Date: Thu, 29 Aug 2002 00:05:43 +0200 (CEST)

On Fri, 23 Aug 2002, Wojciech Purczynski wrote:

Issue:
======

Two vulnerabilities exists in mail() PHP function. The first one allows to
execute any program/script bypassing safe_mode restriction, the second one
may give an open-relay script if mail() function is not carefully used in
PHP scripts.


[..]

(2) Injecting ASCII control characters into mail() arguments

Arbitrary ASCII control characters may be injected into string arguments
of mail() function. If mail() arguments are takeon from user's input it
may give the user ability to alter message content including mail
headers.

Example of such a vulnerability may be found on PHP.net site:

(URL wrapped for readability)
http://www.php.net/mailing-lists.php?
      maillist=your () email com%0a&email=fake () from net%0a

PHP should do content filtering before creating message body sent 
with "sendmail -t" command.


It is hard for the PHP developers to do something about this CRLF
Injection issue, as this function's interface is badly designed.

mail() has got an optional fourth parameter, string additional_headers,
where all the other headers apart from "To:" and "Subject:" go. Lots of
PHP scripts use it to set "From:" and "Reply-To:" headers, by giving
additional_headers a value like "From: $from\nReply-To: $from\n".
"X-Mailer: my program name/0.0". If $from has got the value
"ulf\nX-Header-1: test", you end up with
"From: ulf\nX-Header-1: test\nReply-To: ulf\nX-Header-1: test\nX-Mailer: my
program name/0.0". (See my earlier Bugtraq post, "Geeklog XSS and CRLF
Injection", for a real-life example.)

If additional_headers had been an array instead of a string, the PHP
developers could have filtered out all occurences of CR or LF characters
in each array element. As it is in fact a string, lots and lots of scripts
that use variables defined by the user without filtering are vulnerable to
all kinds of CRLF Injection issues while sending e-mail.

// Ulf Harnhammar
ulfh () update uu se
http://www.metaur.nu/

Current thread:

PHP: Bypass safe_mode and inject ASCII control chars with mail() Wojciech Purczynski (Aug 23)
- Re: PHP: Bypass safe_mode and inject ASCII control chars with mail() Ulf Harnhammar (Aug 28)