what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Hardened-PHP Project Security Advisory 2006-14.139

Hardened-PHP Project Security Advisory 2006-14.139
Posted Nov 16, 2006
Authored by Stefan Esser, Hardened-PHP Project | Site hardened-php.net

Hardened PHP Project Security Advisory - Dotdeb PHP versions below 5.2.0 revision 3 suffer from an email header injection vulnerability.

tags | advisory, php
SHA-256 | 7aba22abbcde28fff1cae212fbfcccf3a83a9218f5ce24a5357f7b683d45e2bd

Hardened-PHP Project Security Advisory 2006-14.139

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hardened-PHP Project
www.hardened-php.net

-= Security Advisory =-


Advisory: Dotdeb PHP Email Header Injection Vulnerability
Release Date: 2006/11/14
Last Modified: 2006/11/14
Author: Stefan Esser [sesser@hardened-php.net]

Application: Dotdeb PHP < 5.2.0 Rev 3
Severity: Calling PHP scripts with special crafted URLs
can result in arbitrary email header injection
Risk: Critical
Vendor Status: Vendor has fixed this with Dotdeb PHP 5.2.0 rev 3
References: http://www.hardened-php.net/advisory_142006.139.html


Overview:

Quote from http://www.dotdeb.org
"Dotdeb is an unofficial repository containing many packages
for the Debian stable (aka .Sarge.) distribution :
* PHP, versions 4 & 5,
* MySQL,versions 4.1 & 5.0,
* Qmail,
* Vpopmail...

Its goal is to turn easily your Debian GNU/Linux boxes into
powerful, stable and up-to-date LAMP servers."

It was discovered that the Dotdeb PHP packages are patched with
a mail() protection patch that was originally created by Steve
Bennett and is nowadays developed at choon.net. This patch adds
an X-PHP-Script header to outgoing mails that contains the name
of the server, the script and the calling IP.

Unfortunately the script name is directly copied from PHP's
PHP_SELF variable without further processing. Because PHP_SELF
does not only contain the script name but also the urldecoded
content of PATH_INFO this allows injection of arbitrary content
into the email headers.

Because of this vulnerability on every PHP server that uses this
patch every PHP script that uses the mail() function can be used
to send either spam mail or tricked into disclosing sensitive
content by injecting Bcc: headers.

A possible attack could be injecting Bcc: headers into password
reminder/password reset mails sent out by forums to break into
the administrator account.


Proof of Concept:

The Hardened-PHP Project is not going to release a proof of concept
exploit for this vulnerability.


Disclosure Timeline:

10. November 2006 - Notified dotdeb vendor and choon.net
12. November 2006 - choon.net released updated patch
13. November 2006 - dotdeb released updated PHP packages
14. November 2006 - Public Disclosure


Recommendation:

We strongly recommend upgrading your dotdeb installation as soon
as possible, because it not only fixes this vulnerability but
also bundles our Suhosin Patch for extra protection of your PHP
server.

You can get the packages from:

http://packages.dotdeb.org

If you want more information about the Suhosin Patch then go to:

http://www.hardened-php.net/suhosin/index.html


GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1


Copyright 2006 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFFWfxoRDkUzAqGSqERAoX6AKCY+qlKNJkLIYvMYdhyTEXi1/WtfACg4szt
zeDfTedyMjrarD7lYVLvvB0=
=BcU5
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close