WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Whitepaper: SMTP Injection via recipient email addresses

From: Takeshi Terada <mbsdtest01 () gmail com>
Date: Wed, 9 Dec 2015 17:20:57 +0900
Dear all,

MBSD released a whitepaper titled "SMTP Injection via recipient email
addresses."
http://www.mbsd.jp/Whitepaper/smtpi.pdf

The paper discusses SMTP Injection attacks via malformed recipient
email addresses in some email libraries in Ruby, Java and PHP.

TOC
1. Introduction
2. How the attack works
3. Vulnerability examples
 3.1. Ruby's Mail
 3.2. JavaMail
 3.3. PHPMailer
 3.4. Other platforms
4.Further attack possibility
 4.1. FWS Attack
 4.2. CRLF-less attack
 4.3. Line-breaks for SMTP servers
5. Sender address attack
6. Conclusion

Best regards,

-- 
Takeshi Terada
Mitsui Bussan Secure Directions, Inc.
http://www.mbsd.jp/



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: