#229 MAIL() CRLF INJECTION

closed-fixed
nabber00
Security (24)
7
2010-08-15
2010-08-15
nabber00
No

User's variables are not checked before be used in the mail()
function. The file "comment_add_cgi.php" call the
write_comment() function with the following parameters:

214| $comment_name = sb_stripslashes($_POST['comment_name']);
215| $comment_email = sb_stripslashes($_POST['comment_email']);
216| $comment_url = sb_stripslashes($_POST['comment_url']);
217| $comment_text = sb_stripslashes($_POST['comment_text']);
218|
219| $result = write_comment($_POST[ 'y' ],$_POST[ 'm' ],
| $_POST['entry' ],
220| $comment_name,
221| $comment_email,
222| $comment_url,
223| $comment_text,
224| $_POST[ 'user_ip' ],
225| $moderationFlag,
226| time() );

Then the function clean_post_text() is applied to $comment_email.
But this function doesn't protect against CRLF Injection, this
will not replace the \r and \n chars. Take a look at the file
"sb_comments.php":

471| function write_comment($y,$m,$entry,$comment_name,$comment_email
|
525| if ( $comment_email != '' ) {
526| $save_data[ 'EMAIL' ] = clean_post_text( $comment_email );
527| }
|
584| // Send the Email
585| if ( array_key_exists( 'EMAIL', $save_data ) ) {
586| sb_mail( $save_data[ 'EMAIL' ], $blog_config[ 'blog_email' ],
| $subject, $body, false );
587| }

The goal of the sb_mail() function is to send mass emails.
As you can see belows, there is no protection against
$save_data[ 'EMAIL' ].

45| function sb_mail ($from, $to, $subject, $body, $text=true, $priority=3) {
|
69| $headers .= 'From: ' . $from . " \r\n";
70| $headers .= 'Reply-To: ' . $from . " \r\n";
71| $headers .= 'Return-Path: ' . $from . " \r\n";
|
76| ini_set('sendmail_from', $from);
77| for ( $j=0; $j < count($to_array); $j++ ) {
78| $result = mail( $to_array[$j], sb_stripslashes($subject),
| sb_stripslashes($body), $headers );
79| }
80| ini_restore('sendmail_from');

So an attacker can perform a CRLF injection attack into the mail()
function, it will probably be used by spammers.

Source: http://archive.cert.uni-stuttgart.de/bugtraq/2007/10/msg00314.html

Discussion

  • nabber00

    nabber00 - 2010-08-15

    Fixed in svn r44.

     
  • nabber00

    nabber00 - 2010-08-15
    • status: open --> closed-fixed
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks