Bugtraq mailing list archives
Re: PHP: Bypass safe_mode and inject ASCII control chars with mail()
From: Ulf Harnhammar <ulfh () update uu se>
Date: Thu, 29 Aug 2002 00:05:43 +0200 (CEST)
On Fri, 23 Aug 2002, Wojciech Purczynski wrote:
Issue: ====== Two vulnerabilities exists in mail() PHP function. The first one allows to execute any program/script bypassing safe_mode restriction, the second one may give an open-relay script if mail() function is not carefully used in PHP scripts.
[..]
(2) Injecting ASCII control characters into mail() arguments Arbitrary ASCII control characters may be injected into string arguments of mail() function. If mail() arguments are takeon from user's input it may give the user ability to alter message content including mail headers. Example of such a vulnerability may be found on PHP.net site: (URL wrapped for readability) http://www.php.net/mailing-lists.php? maillist=your () email com%0a&email=fake () from net%0a PHP should do content filtering before creating message body sent with "sendmail -t" command.
It is hard for the PHP developers to do something about this CRLF Injection issue, as this function's interface is badly designed. mail() has got an optional fourth parameter, string additional_headers, where all the other headers apart from "To:" and "Subject:" go. Lots of PHP scripts use it to set "From:" and "Reply-To:" headers, by giving additional_headers a value like "From: $from\nReply-To: $from\n". "X-Mailer: my program name/0.0". If $from has got the value "ulf\nX-Header-1: test", you end up with "From: ulf\nX-Header-1: test\nReply-To: ulf\nX-Header-1: test\nX-Mailer: my program name/0.0". (See my earlier Bugtraq post, "Geeklog XSS and CRLF Injection", for a real-life example.) If additional_headers had been an array instead of a string, the PHP developers could have filtered out all occurences of CR or LF characters in each array element. As it is in fact a string, lots and lots of scripts that use variables defined by the user without filtering are vulnerable to all kinds of CRLF Injection issues while sending e-mail. // Ulf Harnhammar ulfh () update uu se http://www.metaur.nu/
Current thread:
- PHP: Bypass safe_mode and inject ASCII control chars with mail() Wojciech Purczynski (Aug 23)
- Re: PHP: Bypass safe_mode and inject ASCII control chars with mail() Ulf Harnhammar (Aug 28)