Drupal Email Crafted Header Spoofing

2006-03-13T07:47:37
ID OSVDB:23912
Type osvdb
Reporter kbahey(), Norrin()
Modified 2006-03-13T07:47:37

Description

Vulnerability Description

Drupal contains a flaw allows a malicious user to insert line feeds and carriage returns into outgoing email. This allows the attacker to insert bogus headers into outgoing email. This could lead to Drupal sites being used to send unwanted email.

Solution Description

Upgrade to version 4.5.8, 4.6.6 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Drupal contains a flaw allows a malicious user to insert line feeds and carriage returns into outgoing email. This allows the attacker to insert bogus headers into outgoing email. This could lead to Drupal sites being used to send unwanted email.

References:

Vendor URL: http://drupal.org/ Vendor Specific Advisory URL Vendor Specific Advisory URL Secunia Advisory ID:19257 Secunia Advisory ID:19245 Related OSVDB ID: 23910 Related OSVDB ID: 23911 Related OSVDB ID: 23909 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-02/1468.html Keyword: DRUPAL-SA-2006-004 ISS X-Force ID: 25206 CVE-2006-1225