The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Dotdeb PHP Email Header Injection Vulnerability
------------------------------------------------------------------------
SUMMARY
Dotdeb is an unofficial repository containing many packages for the Debian
stable (aka .Sarge.) distribution:
* PHP, versions 4 & 5,
* MySQL,versions 4.1 & 5.0,
* Qmail,
* Vpopmail...
Its goal is to turn easily your Debian GNU/Linux boxes into powerful,
stable and up-to-date LAMP servers."
A vulnerability in Dotdeb's PHP allows calling PHP scripts with special
crafted URLs which can result in arbitrary email header injection.
DETAILS
Vulnerable Systems:
* Dotdeb PHP versions prior to 5.2.0 Rev 3
Immune Systems:
* Dotdeb PHP 5.2.0 Rev 3
It was discovered that the Dotdeb PHP packages are patched with a mail()
protection patch that was originally created by Steve Bennett and is
nowadays developed at choon.net. This patch adds an X-PHP-Script header to
outgoing mails that contains the name of the server, the script and the
calling IP.
Unfortunately the script name is directly copied from PHP's PHP_SELF
variable without further processing. Because PHP_SELF does not only
contain the script name but also the urldecoded content of PATH_INFO this
allows injection of arbitrary content into the email headers.
Because of this vulnerability on every PHP server that uses this patch
every PHP script that uses the mail() function can be used to send either
spam mail or tricked into disclosing sensitive content by injecting Bcc:
headers.
A possible attack could be injecting Bcc: headers into password
reminder/password reset mails sent out by forums to break into the
administrator account.
Disclosure Timeline:
10. November 2006 - Notified dotdeb vendor and choon.net
12. November 2006 - choon.net released updated patch
13. November 2006 - dotdeb released updated PHP packages
14. November 2006 - Public Disclosure
Recommendation:
We strongly recommend upgrading your dotdeb installation as soon as
possible, because it not only fixes this vulnerability but also bundles
our Suhosin Patch for extra protection of your PHP server.
You can get the packages from: <http://packages.dotdeb.org>
http://packages.dotdeb.org
If you want more information about the Suhosin Patch then go to:
<http://www.hardened-php.net/suhosin/index.html>
http://www.hardened-php.net/suhosin/index.html
ADDITIONAL INFORMATION
The information has been provided by <mailto:sesser@hardened-php.net>
Stefan Esser.
The original article can be found at:
<http://www.hardened-php.net/advisory_142006.139.html>
http://www.hardened-php.net/advisory_142006.139.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
