PHP mail() Function Arbitrary Mail Sending

2007-03-26T06:57:38
ID OSVDB:33948
Type osvdb
Reporter OSVDB
Modified 2007-03-26T06:57:38

Description

Vulnerability Description

PHP contains a flaw that may allow a remote attacker to manipulate mail functionality. The issue is due to mail function not properly sanitizing user-supplied input. By supplying CRLF (newline) characters, an attacker can inject arbitrary e-mail headers which may allow them to send mail to arbitrary hosts by supplying a control character after a Subject: or TO: parameter.

Solution Description

Upgrade to version 5.2.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

PHP contains a flaw that may allow a remote attacker to manipulate mail functionality. The issue is due to mail function not properly sanitizing user-supplied input. By supplying CRLF (newline) characters, an attacker can inject arbitrary e-mail headers which may allow them to send mail to arbitrary hosts by supplying a control character after a Subject: or TO: parameter.

References:

Vendor URL: http://www.php.net/ Secunia Advisory ID:25025 Secunia Advisory ID:25062 Secunia Advisory ID:25056 Secunia Advisory ID:25192 Secunia Advisory ID:24924 Secunia Advisory ID:26235 Secunia Advisory ID:24965 Secunia Advisory ID:24909 Secunia Advisory ID:25057 Secunia Advisory ID:25445 RedHat RHSA: RHSA-2007:0153 RedHat RHSA: RHSA-2007:0155 Other Advisory URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:089 Other Advisory URL: http://lists.suse.com/archive/suse-security-announce/2007-May/0007.html Other Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/20070501-01-P.asc Other Advisory URL: http://www.us.debian.org/security/2007/dsa-1282 Other Advisory URL: http://www.php-security.org/MOPB/MOPB-33-2007.html Other Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200705-19.xml Other Advisory URL: http://www.php-security.org/MOPB/MOPB-34-2007.html Other Advisory URL: http://www.ubuntu.com/usn/usn-455-1 Other Advisory URL: http://www.us.debian.org/security/2007/dsa-1283 Other Advisory URL: http://docs.info.apple.com/article.html?artnum=306172 CVE-2007-1718 CVE-2007-1717 Bugtraq ID: 23146 Bugtraq ID: 23145