php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67494 PHP Bug allows anyone to send fake email even SMPT protection is used.
Submitted: 2014-06-22 04:21 UTC Modified: 2014-06-23 11:52 UTC
Votes:2
Avg. Score:3.0 ± 2.0
Reproduced:0 of 1 (0.0%)
From: ashesh1708 at gmail dot com Assigned:
Status: Not a bug Package: *Mail Related
PHP Version: 5.6.0RC1 OS: ALL
Private report: No CVE-ID: None
 [2014-06-22 04:21 UTC] ashesh1708 at gmail dot com
Description:
------------
Description
I have found a bug in Latest version of PHP that makes me send spoofed emails ,using a simple code I can bypass the SMPT protection used by many companies to prevent spoofed email sending, Like Facebook, Google, Yahoo etc. This bug is applicable to ALL websites including Facebook, Google etc.
_________________________________________________
Here's the code to exploit:

1. IF SMPT PROTECTION USED (EVEN ITS STRICT POLICY)

<?php
$to = "victim@example.com";
$subject = "Subject_here";
$txt = "Message here";
// This works because I included a space between @ and domain
$headers = "From: Username@ domain.com"; 
mail($to,$subject,$txt,$headers);
?>
2. If SMPT PROTECTION IS NOT USED

<?php
$to = "victim@example.com";
$subject = "Subject_here";
$txt = "Message here";
// As SMPT Protection is not used , no need to include space.
$headers = "From: Username@domain.com"; 
mail($to,$subject,$txt,$headers);
?>
_____________________________________________________________________
Why it can't be fixed by any website?
There is no way this could be fixed by individual websites even with Facebook, As They can add SMPT protection for facebook.com but thy can never own [space]facebook.com, So they can never add an SMPT protection for [SPACE]facebook.com
___________________________________________________________________
EXPLOIT SCENARIO
If I send a mail from attacker@example.com OR from attacker@ example.com they both are considered same by email providers.
Using this I can send Spoofed email to victim telling to change his/her password. Then I use the appropriate PHP codes I mentioned above. It appears to be same when received.

1) Phishing
2) Change Password
3)Make Fake Transition
4) Click on Virus link
5) Removes the trust of user on the website
etc.

Scenario 1:

Jim meets jack physically and decides an deal. An attacker somehow know this, He want the deal to be cancelled. he sends a spoofed mail from admin@xyz.com to jim@yahoo.com telling that deal is cancelled for some reason.

Scenario 2:

One day jim opens his email and sees an email from security@yahoo.co.uk regarding changing password. He doubts that yahoo.co.in is owned by Yahoo! Company or not? Then he opens http://yahoo.co.uk in his web browser which redirects him to ORIGINAL Yahoo! , It confirms that yahoo.co.uk is owned by Yahoo!

(Big companies own all domains eg. http:/googole.com, http:/google.co.in, http:/google.co.uk all is owned by google same is the case with Yahoo!) 
He clicks that change password link, clicking on the link takes him to a website where certain JavaScript is executed which steals his yahoo id and password (SESSION). The results can be more dangerous.
___________________________________________________________________________-
Proof OF Concept

Two images are attached. Each of one shows use of the codes , I mentioned above.

Image 1 : http://h.dropcanvas.com/fwt60/When_protection_is_used.png
Image 2 : http://h.dropcanvas.com/fwt60/When_protection_is_NOT_used.png

I have made a website (http://cdata.comule.com) to send the spoofed mail combining the two codes. (Please don't send more than 5 mails per minute and wait 5 minutes for mail to arrive)

The source code of my website is :


a) index.php

<html>
<body>
<h3>If using SMPT Protection use (username@[SPACE]example.com) in "From" field eg. (world123@ facebook.com)</h3>
<form action="submit.php" method="post">
 To: <input type="text" name="to"><br> 
 From: <input type="text" name="from"><br>
 Subject: <input type="text" name="subject"><br>
 Message: <textarea name="message"></textarea><br>
  <input type="submit">
</form>
</body>
</html>



b) submit.php

<?php
$to = $_POST["to"];
$subject = $_POST["subject"];
$txt = $_POST["message"];
$headers = "From: ".$_POST["from"];     
if(mail($to,$subject,$txt,$headers)){
echo "SENT";
echo "<br>";
echo "TO: ".$_POST["to"];
echo "<br>";
echo "From: ".$_POST[
echo "<br>";
echo "Subject: ".$_POST["subject"];
echo "<br>";
echo "Content: ".$_POST["message"];
echo "<br>";
}else{
echo "Fail";
}



I made a Proof of Concept video about how this can be exploited in Yahoo! mail (https://www.dropbox.com/s/ir8dprnetk322n8/POC.mp4)


_____________________________________________________________________________________________
FIX

PHP should not allow mail to be sent if there is a space after "@"
_____________________________________________________________________________________________

Additional Notes

It is easy to detect an spoofed mail. But only 2% of people over that WORLD knows it!
Its necessary to Fix this to prevent misunderstanding and attacks.
Here's how to add SMPT Protection to your Domain (Even i can bypass it)
https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability

Test script:
---------------
http://cdata.comule.com/ (Please don't send more than 5 mails per minute)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-06-22 05:58 UTC] phpmpan at mpan dot pl
Either I've misunderstood something about the bug or it's NaB.

For this to work, a website must give the attacker unrestricted access to the headers argument or in other way allow the attacker to set the "From" header. If it does then it's a serious bug in the website itself. PHP has nothing to do with it.

Could you provide an example of exploitable code? The current one is only showing that one can set "From" field. Such operation is not only quite obvious, but even required by the documentation. The already provided code also allows any website user to set this field, but it does only because you have explicitly allowed it. So either my brain is not working properly or there is no bug showed in the code.
 [2014-06-23 11:52 UTC] tyrael@php.net
-Status: Open +Status: Not a bug
 [2014-06-23 11:52 UTC] tyrael@php.net
Sending an email with the "From: Username@ domain.com" via php will produce the expected output:
"From: Username@ domain.com"
Not sure how this is a php specific problem, or a problem at all.

Not sure what do you mean by SMPT(btw that is SMTP, not SMPT) protection, based on your links I'm assuming you are referring to SPF(http://en.wikipedia.org/wiki/Sender_Policy_Framework),
many smtp servers doesn't even allows you to spoof the From header (you can set the header, but the mail for your account will be used anyways), but assuming that this gets through I'm still not convinced that this "trick" would work against even the dumbest spf implementation.
And assuming it does, it still not a php issue but an MTA problem.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Jul 17 20:01:29 2024 UTC