php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #54397 Several issues with in http://news.php.net
Submitted: 2011-03-26 18:27 UTC Modified: 2014-12-30 18:21 UTC
From: lekensteyn at gmail dot co Assigned: bjori (profile)
Status: Closed Package: Website problem
PHP Version: Irrelevant OS: Irrelevant
Private report: No CVE-ID: None
View Developer Edit
 [2011-03-26 18:27 UTC] lekensteyn at gmail dot co 
Description:
------------
Some pages on http://news.php.net/ are vulnerable to XSS through special-crafted e-mail messages. A list of issues has been listen below.

article.php:
- (XSS) Unsanitized `Subject` header is inserted in the document title through `start_article()`
- (XSS) The filename and mimetypes of attachments are inserted directly through `echo`
- malformed HTML due to an invalid HTML href= attribute is possible because URL's are converted with htmlspecialchars($line,ENT_NOQUOTES).
- The `Date` header is passed directly to `strtotime`, which can lead to funny dates in the message, by using values like `yesterday` or `now` for example
- Possible denial of service on the news server because there is no limit set on the number of references
- (bug) mime headers are ignore
- (enh) do not quit if no connection could be made to the newsserver when looking for references
- (enh)
According to section 2.2.3 of RFC 2822 (Internet Message Format), a header may be split over multiple lines:
--quote--
   Each header field is logically a single line of characters comprising
   the field name, the colon, and the field body.  For convenience
   however, and to deal with the 998/78 character limitations per line,
   the field body portion of a header field can be split into a multiple
   line representation; this is called "folding".  The general rule is

   that wherever this standard allows for folding white space (not
   simply WSP characters), a CRLF may be inserted before any WSP.  For
   example, the header field:

           Subject: This is a test

   can be represented as:

           Subject: This
            is a test
--quote--
Currently, it's assumed that a new header field contains a colon (:), otherwise, it's a continuation of the previous header field.

common.inc:
- Function start_article() is defined here, the title is shown without escaping
- htmlspecialchars() is redundant when urlencode is called before

getpart.php:
- If the attachment contains malicious HTML code, it could steal php.net's cookies and make php.net possibly end up in malware databases
- (enh) see headers section in article.php
- (enh) clean up some unused variables and constructs

Test script:
---------------
First test:
http://news.php.net/php.test/879

Further posts:
http://news.php.net/php.test/880

Patches

the-magic-patch-fixing-suggestions-from-description (last revision 2011-03-26 20:55 UTC by lekensteyn at gmail dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-09-12 11:09 UTC] bjori@php.net 
Your patch seems ok, but I don't quite understand what your test posts are 
demonstrating?
 [2014-12-30 08:42 UTC] stas@php.net
-Assigned To: +Assigned To: bjori
 [2014-12-30 18:21 UTC] bjori@php.net
-Status: Assigned +Status: Closed
 [2014-12-30 18:21 UTC] bjori@php.net 
The fix for this bug has been committed. Since the websites are not directly
updated from the repository, the fix might need some time to spread
across the globe to all mirror sites, including PHP.net itself.

Thank you for the report, and for helping us make PHP.net better.

woha, this got completely lost.

I updated the patch a little so it applies cleanly and have pushed it now.

Thanks for the fixes!
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Dec 26 18:01:31 2024 UTC