php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #19120 Open-relay PHP script using unfiltered data on mail()
Submitted: 2002-08-27 05:27 UTC Modified: 2002-08-27 05:57 UTC
From: vogel at folz dot de Assigned:
Status: Closed Package: Mail related
PHP Version: 4.2.2 OS: Linux (or any Unix)
Private report: No CVE-ID: None
 [2002-08-27 05:27 UTC] vogel at folz dot de
Well, I'm not the person who found this, I just
want to have this reported here.

A few days ago Wojciech Purczynski <cliph@isec.pl>
reported a security problem with the mail()
function to bugtraq, see:

http://online.securityfocus.com/archive/1/288804

I must admit that I haven't checked the validity
of his claims. But because there is still no
reply from anyone to his email on bugtraq, I figured
it should be reported here.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-08-27 05:34 UTC] derick@php.net
The first issue is fixed already, and will be in version 4.2.3 (due in a few weeks).
IIRC the second issue is also fixed, but I'm not totally sure.
 [2002-08-27 05:35 UTC] sesser@php.net
Please do not submit the same bug more than once. An existing
bug report already describes this very problem. Even if you feel
that your issue is somewhat different, the resolution is likely
to be the same. Because of this, we hope you add your comments
to the original bug instead.

Thank you for your interest in PHP.
 [2002-08-27 05:44 UTC] vogel at folz dot de
Could you please tell me the bug ID of the existing
bug report?  I _did_ search the bug database before
submitting my report, but did not find an entry that
would match what Wojciech Purczynski described as the
second problem in his report.

And a note to derick@php.net:
Wojciech Purczynski said that the first problem is fixed
in 4.2.2, but the fix for the second problem is incomplete.
 [2002-08-27 05:57 UTC] sesser@php.net
#17746

The problems are not fixed in 4.2.2 and if you actually read the advisory you will see that he says it is fixed in the last CVS snapshot. Thats true, because the bugs were fixed several weeks ago.

The second problem was fixed in the snapshot, too. It is
not possible to inject ASCII control characters into the
mail for weeks (if not month) now. The only thing that
the fix made possible was to truncate the subject line
by inserting a ASCII control character into it. Nothing
really dangerous. Anyway I changed the behaviour a few
days ago to overwrite control characters with whitespace instead of truncating the input. 

 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 02:01:30 2024 UTC