php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #54397 Several issues with in http://news.php.net
Submitted: 2011-03-26 18:27 UTC Modified: 2014-12-30 18:21 UTC
From: lekensteyn at gmail dot co Assigned: bjori (profile)
Status: Closed Package: Website problem
PHP Version: Irrelevant OS: Irrelevant
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: lekensteyn at gmail dot co
New email:
PHP Version: OS:

 

 [2011-03-26 18:27 UTC] lekensteyn at gmail dot co
Description:
------------
Some pages on http://news.php.net/ are vulnerable to XSS through special-crafted e-mail messages. A list of issues has been listen below.

article.php:
- (XSS) Unsanitized `Subject` header is inserted in the document title through `start_article()`
- (XSS) The filename and mimetypes of attachments are inserted directly through `echo`
- malformed HTML due to an invalid HTML href= attribute is possible because URL's are converted with htmlspecialchars($line,ENT_NOQUOTES).
- The `Date` header is passed directly to `strtotime`, which can lead to funny dates in the message, by using values like `yesterday` or `now` for example
- Possible denial of service on the news server because there is no limit set on the number of references
- (bug) mime headers are ignore
- (enh) do not quit if no connection could be made to the newsserver when looking for references
- (enh)
According to section 2.2.3 of RFC 2822 (Internet Message Format), a header may be split over multiple lines:
--quote--
   Each header field is logically a single line of characters comprising
   the field name, the colon, and the field body.  For convenience
   however, and to deal with the 998/78 character limitations per line,
   the field body portion of a header field can be split into a multiple
   line representation; this is called "folding".  The general rule is

   that wherever this standard allows for folding white space (not
   simply WSP characters), a CRLF may be inserted before any WSP.  For
   example, the header field:

           Subject: This is a test

   can be represented as:

           Subject: This
            is a test
--quote--
Currently, it's assumed that a new header field contains a colon (:), otherwise, it's a continuation of the previous header field.

common.inc:
- Function start_article() is defined here, the title is shown without escaping
- htmlspecialchars() is redundant when urlencode is called before

getpart.php:
- If the attachment contains malicious HTML code, it could steal php.net's cookies and make php.net possibly end up in malware databases
- (enh) see headers section in article.php
- (enh) clean up some unused variables and constructs

Test script:
---------------
First test:
http://news.php.net/php.test/879

Further posts:
http://news.php.net/php.test/880



Patches

the-magic-patch-fixing-suggestions-from-description (last revision 2011-03-26 20:55 UTC by lekensteyn at gmail dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-09-12 11:09 UTC] bjori@php.net
Your patch seems ok, but I don't quite understand what your test posts are 
demonstrating?
 [2014-12-30 08:42 UTC] stas@php.net
-Assigned To: +Assigned To: bjori
 [2014-12-30 18:21 UTC] bjori@php.net
-Status: Assigned +Status: Closed
 [2014-12-30 18:21 UTC] bjori@php.net
The fix for this bug has been committed. Since the websites are not directly
updated from the repository, the fix might need some time to spread
across the globe to all mirror sites, including PHP.net itself.

Thank you for the report, and for helping us make PHP.net better.

woha, this got completely lost.

I updated the patch a little so it applies cleanly and have pushed it now.

Thanks for the fixes!
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 27 08:01:28 2024 UTC