[php-maint] Bug#325550: marked as done (php4: Problems with mail() function allow relaying through mailforms...)

Debian Bug Tracking System owner at bugs.debian.org
Wed Aug 31 07:48:13 UTC 2005 

Your message dated Wed, 31 Aug 2005 00:40:36 -0700
with message-id <20050831074036.GA20660 at tennyson.netexpress.net>
and subject line Bug#325550: php4: Problems with mail() function allow relaying through mailforms...
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 29 Aug 2005 11:58:53 +0000
>From debian at stroobant.be Mon Aug 29 04:58:53 2005
Return-path: <debian at stroobant.be>
Received: from (warp.cdenv.be) [213.246.192.77] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1E9iHt-0004QZ-00; Mon, 29 Aug 2005 04:58:53 -0700
Received: by warp.cdenv.be (Postfix, from userid 1000)
	id 265A4C4E37; Mon, 29 Aug 2005 13:58:21 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Luc Stroobant <debian at stroobant.be>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: php4: Problems with mail() function allow relaying through mailforms...
X-Mailer: reportbug 3.8
Date: Mon, 29 Aug 2005 13:58:21 +0200
Message-Id: <20050829115821.265A4C4E37 at warp.cdenv.be>
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Package: php4
Version: 4:4.3.10-15
Severity: normal

Last weekend, we noticed some attempts to abuse on of our mailforms.
Analysis of our mail logs showed some mails where sent through a php script.
As the "To" field was hard coded in the script and register_globals was off,
the spammer must have used some other method to send the mail.

A stripped down version of the original script can be found on:
http://www.stroobant.be/phpmail/mailscript.phps

I used mod_security to intercept the POST requests...
Here is one of those requests:

r=oirkcyexud%40coza.net%0AContent-Type%3A+multipart%2Fmixed%3B+boundary%3D%22%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D1269369969%3D%3D%22%0AMIME-Ver
sion%3A+1.0%0ASubject%3A+e2dae455%0ATo%3A+oirkcyexud%40coza.net%0Abcc%3A+jrubin3546%40aol.com%0AFrom%3A+oirkcyexud%40coza.net%0A%0AThis+is+a+multi-part+messag
e+in+MIME+format.%0A%0A--%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D1269369969%3D%3D%0AContent-Type%3A+text%2Fplain%3B+charset%3D%22us-ascii%22%0AMIME-Versi
on%3A+1.0%0AContent-Transfer-Encoding%3A+7bit%0A%0Adzrgpjy%0A--%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D1269369969%3D%3D--%0A
&name=oirkcyexud%40coza.net
&subject=oirkcyexud%40coza.net
&email=oirkcyexud%40coza.net&submit=oirkcyexud%40coza.net

It shows he was able to insert an addition recipient through the "r" variable, which is the reaction field. (and not the from or to, as one would expect)
He used some multi-part boundaries for this. IMHO this is a bug in the PHP mail() function and I'm afraid this kind of abuse can be used on quite a lot PHP mailforms...
I can provide you with addition details and server logs if needed.

Regards,

Luc


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages php4 depends on:
ii  libapache-mod-php4           4:4.3.10-15 server-side, HTML-embedded scripti
ii  php4-common                  4:4.3.10-15 Common files for packages built fr

-- no debconf information

---------------------------------------
Received: (at 325550-done) by bugs.debian.org; 31 Aug 2005 07:40:38 +0000
>From vorlon at debian.org Wed Aug 31 00:40:38 2005
Return-path: <vorlon at debian.org>
Received: from dsl093-039-086.pdx1.dsl.speakeasy.net (tennyson.netexpress.net) [66.93.39.86] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1EAND3-0007yB-00; Wed, 31 Aug 2005 00:40:37 -0700
Received: by tennyson.netexpress.net (Postfix, from userid 1003)
	id F1CDC7049; Wed, 31 Aug 2005 00:40:36 -0700 (PDT)
Date: Wed, 31 Aug 2005 00:40:36 -0700
From: Steve Langasek <vorlon at debian.org>
To: Luc Stroobant <debian at stroobant.be>, 325550-done at bugs.debian.org
Subject: Re: Bug#325550: php4: Problems with mail() function allow relaying through mailforms...
Message-ID: <20050831074036.GA20660 at tennyson.netexpress.net>
References: <43143F9A.7080902 at stroobant.be>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="5vNYLRcllDrimb99"
Content-Disposition: inline
In-Reply-To: <43143F9A.7080902 at stroobant.be>
User-Agent: Mutt/1.5.9i
Delivered-To: 325550-done at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02


--5vNYLRcllDrimb99
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Aug 30, 2005 at 01:14:34PM +0200, Luc Stroobant wrote:
> Additional remark.
> After a while, I figured out they probably didn't insert the extra=20
> receivers via the email message ($r) --although they tried that too, had=
=20
> to sort out hundreds of log entries-- but through the from/email variable.
> There was a problem with the validation of the from-address in the=20
> script (used trim instead of a regex to replace all \n's, trim only=20
> removes \n at the beginning and the end). So in that way, they could=20
> insert additional headers.
> But I did some tests with mail() and I still think it should be=20
> considered as a bug that PHP mail() allows insertion of additional To:=20
> headers through the 'additional_headers' variable. You don't even need=20
> to insert the MIME boundary for that, just put 'From: user at domain\nTo:=20
> user at otherdomain' in the additional headers and mail() will send it to=20
> an additional recipient...

Er, it sounds to me like a bug that you're allowing untrusted users to
populate the additional_headers variable through a web form.  I don't
see any reason to consider it a bug for mail() to give you enough rope
to hang yourself...

> As spam attempts through mailforms are rising, I guess it would be a=20
> better idea to disallow any definition of mail receipients in the=20
> additional headers and force the user to input receipients via a=20
> to/cc/bcc variable in mail() call. (but I know that's a PHP issue and=20
> won't bother you any further with this ;-)

I'm not sure if this means you're agreeing with me, but in any case I
think this report should be closed as a non-bug.

--=20
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon at debian.org                                   http://www.debian.org/

--5vNYLRcllDrimb99
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDFV70KN6ufymYLloRAtFDAJ9DGuZ7rkrQHxvlcrV4X/p2sghdcQCfVuBV
14MhbZQ0sbNXZ+km3f1T2tk=
=LZ73
-----END PGP SIGNATURE-----

--5vNYLRcllDrimb99--

More information about the pkg-php-maint mailing list