WebApp Sec mailing list archives
Whitepaper: SMTP Injection via recipient email addresses
From: Takeshi Terada <mbsdtest01 () gmail com>
Date: Wed, 9 Dec 2015 17:20:57 +0900
Dear all, MBSD released a whitepaper titled "SMTP Injection via recipient email addresses." http://www.mbsd.jp/Whitepaper/smtpi.pdf The paper discusses SMTP Injection attacks via malformed recipient email addresses in some email libraries in Ruby, Java and PHP. TOC 1. Introduction 2. How the attack works 3. Vulnerability examples 3.1. Ruby's Mail 3.2. JavaMail 3.3. PHPMailer 3.4. Other platforms 4.Further attack possibility 4.1. FWS Attack 4.2. CRLF-less attack 4.3. Line-breaks for SMTP servers 5. Sender address attack 6. Conclusion Best regards, -- Takeshi Terada Mitsui Bussan Secure Directions, Inc. http://www.mbsd.jp/ This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Whitepaper: SMTP Injection via recipient email addresses Takeshi Terada (Dec 16)
- Re: Whitepaper: SMTP Injection via recipient email addresses Amit Klein (Dec 16)
- Message not available
- Re: Whitepaper: SMTP Injection via recipient email addresses Takeshi Terada (Dec 17)
- Re: Whitepaper: SMTP Injection via recipient email addresses Amit Klein (Dec 17)
- Re: Whitepaper: SMTP Injection via recipient email addresses Takeshi Terada (Dec 17)