|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #54397 Several issues with in
Submitted: 2011-03-26 18:27 UTC Modified: 2014-12-30 18:21 UTC
From: lekensteyn at gmail dot co Assigned: bjori (profile)
Status: Closed Package: Website problem
PHP Version: Irrelevant OS: Irrelevant
Private report: No CVE-ID: None
 [2011-03-26 18:27 UTC] lekensteyn at gmail dot co
Some pages on are vulnerable to XSS through special-crafted e-mail messages. A list of issues has been listen below.

- (XSS) Unsanitized `Subject` header is inserted in the document title through `start_article()`
- (XSS) The filename and mimetypes of attachments are inserted directly through `echo`
- malformed HTML due to an invalid HTML href= attribute is possible because URL's are converted with htmlspecialchars($line,ENT_NOQUOTES).
- The `Date` header is passed directly to `strtotime`, which can lead to funny dates in the message, by using values like `yesterday` or `now` for example
- Possible denial of service on the news server because there is no limit set on the number of references
- (bug) mime headers are ignore
- (enh) do not quit if no connection could be made to the newsserver when looking for references
- (enh)
According to section 2.2.3 of RFC 2822 (Internet Message Format), a header may be split over multiple lines:
   Each header field is logically a single line of characters comprising
   the field name, the colon, and the field body.  For convenience
   however, and to deal with the 998/78 character limitations per line,
   the field body portion of a header field can be split into a multiple
   line representation; this is called "folding".  The general rule is

   that wherever this standard allows for folding white space (not
   simply WSP characters), a CRLF may be inserted before any WSP.  For
   example, the header field:

           Subject: This is a test

   can be represented as:

           Subject: This
            is a test
Currently, it's assumed that a new header field contains a colon (:), otherwise, it's a continuation of the previous header field.
- Function start_article() is defined here, the title is shown without escaping
- htmlspecialchars() is redundant when urlencode is called before

- If the attachment contains malicious HTML code, it could steal's cookies and make possibly end up in malware databases
- (enh) see headers section in article.php
- (enh) clean up some unused variables and constructs

Test script:
First test:

Further posts:


the-magic-patch-fixing-suggestions-from-description (last revision 2011-03-26 20:55 UTC by lekensteyn at gmail dot com)

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2011-09-12 11:09 UTC]
Your patch seems ok, but I don't quite understand what your test posts are 
 [2014-12-30 08:42 UTC]
-Assigned To: +Assigned To: bjori
 [2014-12-30 18:21 UTC]
-Status: Assigned +Status: Closed
 [2014-12-30 18:21 UTC]
The fix for this bug has been committed. Since the websites are not directly
updated from the repository, the fix might need some time to spread
across the globe to all mirror sites, including itself.

Thank you for the report, and for helping us make better.

woha, this got completely lost.

I updated the patch a little so it applies cleanly and have pushed it now.

Thanks for the fixes!
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Fri Jan 27 10:05:53 2023 UTC