Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 2.0.0

Request #6229 Protection against mail injection
Submitted: 2005-12-12 15:32 UTC
From: web2005 at ahlenstorf dot ch Assigned: jon
Status: Closed Package: Mail
PHP Version: 5.0.5 OS: Debian GNU/Linux 3.1
Roadmaps: (Not assigned)    
Subscription  


 [2005-12-12 15:32 UTC] web2005 at ahlenstorf dot ch
Description: ------------ We experienced some mail injection attacks (http://securephp.damonkohler.com/index.php/Email_Injection) against forms using PEAR::Mail (and raw mail()). The problem is not the package itself, but the programmers who forget to sanitize the input. I wrote a small patch that tries to address the issue in PEAR::Mail. You can see it here (not very well tested, but works at the moment): http://andreas.ahlenstorf.ch/Mail.patch It looks at every value in the headers array and strips everything that comes after a character, that may be interpreted as header separator (eg. new line or carriage return). In the end, it's a general purpose solution (a.k.a. sledgehammer) to prevent the worst case (lots of spam). Additional checks to prevent bounces et al. can be performed later or somewhere else. I don't know how's your policy regarding protection against forged input, but I really think it's worth thinking about the inclusion of the patch or a similar solution, because PEAR::Mail's sensitivity for email injection is not obvious, above all for beginners. That comes from the API, that takes the headers as associative array where you don't expect that a value can become another header. Test script: --------------- <?php // "user supplied input" $reply_to = "att@cker.tld\nBcc:spam@victim.tld"; include('Mail.php'); $recipients = 'foo@owner.tld'; $headers['From'] = "website@owner.tld"; $headers['To'] = 'recipient@owner.tld'; $headers['Subject'] = 'Test message'; $headers['Reply-To'] = $reply_to; $body = 'Test message'; // Create the mail object using the Mail::factory method $mail_object =& Mail::factory('mail'); var_dump($mail_object->send($recipients, $headers, $body)); ?> Expected result: ---------------- Only email in the mailbox of recipient@owner.tld. Actual result: -------------- Email in the mailbox of recipient@owner.tld, spam@victim.tld and emails from AOL to our abuse address...

Comments

 [2006-02-03 21:11 UTC] User who submitted this comment has not confirmed identity
If you submitted this note, check your email.If you do not have a message, click here to re-send
MANUAL CONFIRMATION IS NOT POSSIBLE.  Write a message to pear-dev@lists.php.net
to request the confirmation link.  All bugs/comments/patches associated with this

email address will be deleted within 48 hours if the account request is not confirmed!
 [2006-03-08 05:30 UTC] soporte at onfocus dot cl (Cristian Rodriguez)
At least the new "Zend_Mail" provides protection for this trick by default. will be nice if PEAR Mail can do the a similar thing.
 [2006-09-13 05:32 UTC] User who submitted this comment has not confirmed identity
If you submitted this note, check your email.If you do not have a message, click here to re-send
MANUAL CONFIRMATION IS NOT POSSIBLE.  Write a message to pear-dev@lists.php.net
to request the confirmation link.  All bugs/comments/patches associated with this

email address will be deleted within 48 hours if the account request is not confirmed!
 [2006-09-14 07:13 UTC] c dot sar dot miyasato at gmail dot com (Takeshi Miyaato)
function _sanitizeHeaders in Mail.php erase "boundary" in "Content-Type". Can not send a html mail in the sample, http://pear.php.net/manual/en/package.mail.mail-mime.example.php Expected result: ---------------- Content-Type: multipart/alternative; boundary--"=_29e435fcd1c17793cd33f23cc34b7c1e" Actual result: -------------- Content-Type: multipart/alternative; --=_29e435fcd1c17793cd33f23cc34b7c1e Adding a "return;" in front of the function is an emergency measure. function _sanitizeHeaders(&$headers) { return;
 [2006-09-15 03:52 UTC] User who submitted this comment has not confirmed identity
If you submitted this note, check your email.If you do not have a message, click here to re-send
MANUAL CONFIRMATION IS NOT POSSIBLE.  Write a message to pear-dev@lists.php.net
to request the confirmation link.  All bugs/comments/patches associated with this

email address will be deleted within 48 hours if the account request is not confirmed!