On Fri, 23 Aug 2002, Wojciech Purczynski wrote: > Issue: > ====== > > Two vulnerabilities exists in mail() PHP function. The first one allows to > execute any program/script bypassing safe_mode restriction, the second one > may give an open-relay script if mail() function is not carefully used in > PHP scripts. [..] > (2) Injecting ASCII control characters into mail() arguments > > Arbitrary ASCII control characters may be injected into string arguments > of mail() function. If mail() arguments are takeon from user's input it > may give the user ability to alter message content including mail > headers. > > Example of such a vulnerability may be found on PHP.net site: > > (URL wrapped for readability) > http://www.php.net/mailing-lists.php? > maillist=your@email.com%0a&email=fake@from.net%0a > > PHP should do content filtering before creating message body sent > with "sendmail -t" command. It is hard for the PHP developers to do something about this CRLF Injection issue, as this function's interface is badly designed. mail() has got an optional fourth parameter, string additional_headers, where all the other headers apart from "To:" and "Subject:" go. Lots of PHP scripts use it to set "From:" and "Reply-To:" headers, by giving additional_headers a value like "From: $from\nReply-To: $from\n". "X-Mailer: my program name/0.0". If $from has got the value "ulf\nX-Header-1: test", you end up with "From: ulf\nX-Header-1: test\nReply-To: ulf\nX-Header-1: test\nX-Mailer: my program name/0.0". (See my earlier Bugtraq post, "Geeklog XSS and CRLF Injection", for a real-life example.) If additional_headers had been an array instead of a string, the PHP developers could have filtered out all occurences of CR or LF characters in each array element. As it is in fact a string, lots and lots of scripts that use variables defined by the user without filtering are vulnerable to all kinds of CRLF Injection issues while sending e-mail. // Ulf Harnhammar ulfh@update.uu.se http://www.metaur.nu/
