[bug #35388] commentized subjects allow PHP code injection

2012-01-27 22:13:43

                 Summary: commentized subjects allow PHP code injection
                 Project: MHonArc
            Submitted by: alvherre
            Submitted on: sáb 28 ene 2012 01:12:27 CLST
                Category: Mail Parsing
                Severity: 3 - Normal
                Priority: 5 - Normal
              Item Group: Security
                  Status: None
                 Privacy: Private
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
        Operating System: Linux
            Perl Version: 5.10.1
       Component Version: 2.6.16
           Fixed Release: 




It was noticed on the site (which generates mhonarc
archives with some custom PHP code) that people that use "<?php" in the
subject line cause the X-Subject HTML comment to be interpreted as PHP code. 
This causes a PHP injection vulnerability.

(As an example -- until today we used to run with the PHP config option
short_open_tags=on; this makes the interpreter confused merely with <? in the
subject, such as for
instance.  We turned that option off now, but obviously the more general
vulnerability of "<?php" tags still persists).

I think the fix may be something simple as this:

***     2012-01-28 01:08:35.000000000 -0300
---  2012-01-28 01:08:57.000000000 -0300
*** 70,76 ****
  sub commentize {
      my($txt) = $_[0];
!     $txt =~ s/([\-&])/'&#'.unpack('C',$1).';'/ge;
--- 70,76 ----
  sub commentize {
      my($txt) = $_[0];
!     $txt =~ s/([\-&<])/'&#'.unpack('C',$1).';'/ge;

However, this would cause all <'s to be escaped, not just the ones that are
part of a <? pair; and I'm not sure if other things would be negatively


Note: since this directly affects our running instace, I'd like this issue not
to be made public until we can find some way to fix the problem.


Reply to this item at:


  Mensaje enviado vía/por Savannah

To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the

<Prev in Thread] Current Thread [Next in Thread>