php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #35659 Insecure arguments 'to', 'subject' and 'headers' - ISP problem related
Submitted: 2005-12-13 13:42 UTC Modified: 2005-12-13 15:43 UTC
Votes:18
Avg. Score:4.6 ± 0.8
Reproduced:14 of 14 (100.0%)
Same Version:5 (35.7%)
Same OS:7 (50.0%)
From: icebraker at icebraker dot org Assigned:
Status: Wont fix Package: Mail related
PHP Version: 4.4.1 OS: Irrelevant
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: icebraker at icebraker dot org
New email:
PHP Version: OS:

 

 [2005-12-13 13:42 UTC] icebraker at icebraker dot org
Description:
------------
Function arguments are not checked for end of headers '\n\n'.
When you add for ex. to unchecked 'headers' argument your own headers with '\n\n' and a body after the '\n\n', the rest of you original message will be after this hacked message.

A huge count of spam is sent by this feature, because people can't write their srcipts safe at first, but these arguments should be checked for '\n\n' to not be hackable.


Reproduce code:
---------------
$email = "owner@domain.org\nSubject: Viagra\n\nBuy a viagra in our eshop - it's for free!!!\n.\n\n\n\n\n";

headers = "From: $email\nX-Mailer: PHP";

Mail("icebraker@icebraker.org", "subject of the message", "body of the message", $headers);


Expected result:
----------------
1) Everything after '\n\n' will be truncated and '\n\n' will be changed to '\n' to not corrupt the headers

To: icebraker@icebraker.org
Subject: subject of the message
From: owner@domain.org
Subject: Viagra

body of the message


2)PHP can return an error message that there can't be a '\n\n' in aguments 'to'.

Actual result:
--------------
To: icebraker@icebraker.org
Subject: subject of the message
From: owner@domain.org
Subject: Viagra

Buy a viagra in our eshop - it's for free!!!
.






body of the message


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-12-13 14:44 UTC] sniper@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php


 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Nov 27 21:03:13 2021 UTC