Re: PHP: Bypass safe_mode and inject ASCII control chars with mail()

From: Ulf Harnhammar (ulfhat_private)
Date: Wed Aug 28 2002 - 15:05:43 PDT

Next message: @stake Advisories: "Microsoft Terminal Server Client Buffer Overrun (A082802-1)"

Previous message: Aaron C. Newman: "Manipulating Microsoft SQL Server Using SQL Injection"
In reply to: Wojciech Purczynski: "PHP: Bypass safe_mode and inject ASCII control chars with mail()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 23 Aug 2002, Wojciech Purczynski wrote:

> Issue:
> ======
> 
> Two vulnerabilities exists in mail() PHP function. The first one allows to
> execute any program/script bypassing safe_mode restriction, the second one
> may give an open-relay script if mail() function is not carefully used in
> PHP scripts.

[..]

> (2) Injecting ASCII control characters into mail() arguments
> 
> Arbitrary ASCII control characters may be injected into string arguments
> of mail() function. If mail() arguments are takeon from user's input it
> may give the user ability to alter message content including mail
> headers.
> 
> Example of such a vulnerability may be found on PHP.net site:
> 
> (URL wrapped for readability)
> http://www.php.net/mailing-lists.php?
> 	maillist=yourat_private%0a&email=fakeat_private%0a
> 
> PHP should do content filtering before creating message body sent 
> with "sendmail -t" command.

It is hard for the PHP developers to do something about this CRLF
Injection issue, as this function's interface is badly designed.

mail() has got an optional fourth parameter, string additional_headers,
where all the other headers apart from "To:" and "Subject:" go. Lots of
PHP scripts use it to set "From:" and "Reply-To:" headers, by giving
additional_headers a value like "From: $from\nReply-To: $from\n".
"X-Mailer: my program name/0.0". If $from has got the value
"ulf\nX-Header-1: test", you end up with
"From: ulf\nX-Header-1: test\nReply-To: ulf\nX-Header-1: test\nX-Mailer: my
program name/0.0". (See my earlier Bugtraq post, "Geeklog XSS and CRLF
Injection", for a real-life example.)

If additional_headers had been an array instead of a string, the PHP
developers could have filtered out all occurences of CR or LF characters
in each array element. As it is in fact a string, lots and lots of scripts
that use variables defined by the user without filtering are vulnerable to
all kinds of CRLF Injection issues while sending e-mail.

// Ulf Harnhammar
ulfhat_private
http://www.metaur.nu/

Next message: @stake Advisories: "Microsoft Terminal Server Client Buffer Overrun (A082802-1)"
Previous message: Aaron C. Newman: "Manipulating Microsoft SQL Server Using SQL Injection"
In reply to: Wojciech Purczynski: "PHP: Bypass safe_mode and inject ASCII control chars with mail()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 28 2002 - 16:14:20 PDT