PHP Mail Function ASCII Control Character Header Spoofing

2003-07-30T00:00:00
ID OSVDB:2111
Type osvdb
Reporter OSVDB
Modified 2003-07-30T00:00:00

Description

Vulnerability Description

PHP 4.x to 4.2.2 contains a flaw that exist in the mail() function that does not properly sanitize user input. It is possible for a user may pass ASCII control characters to the mail() function that could alter the headers of email. This could result in spoofed mail headers.

Technical Description

Arbitrary ASCII control characters may be injected into string arguments of mail() function. If mail() arguments are taken from user's input it may give the user ability to alter message content including mail headers.

Solution Description

Upgrade to the latest version of PHP available, or disable the mail() function in the php.ini.

Short Description

PHP 4.x to 4.2.2 contains a flaw that exist in the mail() function that does not properly sanitize user input. It is possible for a user may pass ASCII control characters to the mail() function that could alter the headers of email. This could result in spoofed mail headers.

Manual Testing Notes

Telnet to Target IP Port 80 and type HEAD /HTTP/1.0. Check for PHP version, and if older than 4.2.2. system may be vulnerable.

References:

Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Related OSVDB ID: 2160 Nessus Plugin ID:11444 Mail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=103011916928204&w=2 CVE-2002-0985 Bugtraq ID: 5562