<<< Date Index >>>     <<< Thread Index >>>

Advisory 14/2006: Dotdeb PHP Email Header Injection Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-


     Advisory: Dotdeb PHP Email Header Injection Vulnerability
 Release Date: 2006/11/14
Last Modified: 2006/11/14
       Author: Stefan Esser [sesser@xxxxxxxxxxxxxxxx]

  Application: Dotdeb PHP < 5.2.0 Rev 3
     Severity: Calling PHP scripts with special crafted URLs
               can result in arbitrary email header injection
         Risk: Critical
Vendor Status: Vendor has fixed this with Dotdeb PHP 5.2.0 rev 3
   References: http://www.hardened-php.net/advisory_142006.139.html


Overview:

   Quote from http://www.dotdeb.org
   "Dotdeb is an unofficial repository containing many packages 
    for the Debian stable (aka .Sarge.) distribution :   
     * PHP, versions 4 & 5,
     * MySQL,versions 4.1 & 5.0,
     * Qmail,
     * Vpopmail...
                                           
    Its goal is to turn easily your Debian GNU/Linux boxes into 
    powerful, stable and up-to-date LAMP servers."
    
   It was discovered that the Dotdeb PHP packages are patched with
   a mail() protection patch that was originally created by Steve
   Bennett and is nowadays developed at choon.net. This patch adds
   an X-PHP-Script header to outgoing mails that contains the name
   of the server, the script and the calling IP.
   
   Unfortunately the script name is directly copied from PHP's
   PHP_SELF variable without further processing. Because PHP_SELF
   does not only contain the script name but also the urldecoded
   content of PATH_INFO this allows injection of arbitrary content
   into the email headers.
   
   Because of this vulnerability on every PHP server that uses this
   patch every PHP script that uses the mail() function can be used
   to send either spam mail or tricked into disclosing sensitive 
   content by injecting Bcc: headers.
   
   A possible attack could be injecting Bcc: headers into password 
   reminder/password reset mails sent out by forums to break into
   the administrator account.


Proof of Concept:

   The Hardened-PHP Project is not going to release a proof of concept 
   exploit for this vulnerability.


Disclosure Timeline:

   10. November 2006 - Notified dotdeb vendor and choon.net
   12. November 2006 - choon.net released updated patch
   13. November 2006 - dotdeb released updated PHP packages
   14. November 2006 - Public Disclosure


Recommendation:

   We strongly recommend upgrading your dotdeb installation as soon
   as possible, because it not only fixes this vulnerability but
   also bundles our Suhosin Patch for extra protection of your PHP
   server.
   
   You can get the packages from:
   
   http://packages.dotdeb.org   

   If you want more information about the Suhosin Patch then go to:
   
   http://www.hardened-php.net/suhosin/index.html


GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2006 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFFWfxoRDkUzAqGSqERAoX6AKCY+qlKNJkLIYvMYdhyTEXi1/WtfACg4szt
zeDfTedyMjrarD7lYVLvvB0=
=BcU5
-----END PGP SIGNATURE-----