php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #35659 Insecure arguments 'to', 'subject' and 'headers' - ISP problem related
Submitted: 2005-12-13 13:42 UTC Modified: 2005-12-13 15:43 UTC
Votes:18
Avg. Score:4.6 ± 0.8
Reproduced:14 of 14 (100.0%)
Same Version:5 (35.7%)
Same OS:7 (50.0%)
From: icebraker at icebraker dot org Assigned:
Status: Wont fix Package: Mail related
PHP Version: 4.4.1 OS: Irrelevant
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
34 - 1 = ?
Subscribe to this entry?

 
 [2005-12-13 13:42 UTC] icebraker at icebraker dot org
Description:
------------
Function arguments are not checked for end of headers '\n\n'.
When you add for ex. to unchecked 'headers' argument your own headers with '\n\n' and a body after the '\n\n', the rest of you original message will be after this hacked message.

A huge count of spam is sent by this feature, because people can't write their srcipts safe at first, but these arguments should be checked for '\n\n' to not be hackable.


Reproduce code:
---------------
$email = "owner@domain.org\nSubject: Viagra\n\nBuy a viagra in our eshop - it's for free!!!\n.\n\n\n\n\n";

headers = "From: $email\nX-Mailer: PHP";

Mail("icebraker@icebraker.org", "subject of the message", "body of the message", $headers);


Expected result:
----------------
1) Everything after '\n\n' will be truncated and '\n\n' will be changed to '\n' to not corrupt the headers

To: icebraker@icebraker.org
Subject: subject of the message
From: owner@domain.org
Subject: Viagra

body of the message


2)PHP can return an error message that there can't be a '\n\n' in aguments 'to'.

Actual result:
--------------
To: icebraker@icebraker.org
Subject: subject of the message
From: owner@domain.org
Subject: Viagra

Buy a viagra in our eshop - it's for free!!!
.






body of the message


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-12-13 14:44 UTC] sniper@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php


 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sun Dec 04 02:05:53 2022 UTC