[bug #35388] commentized subjects allow PHP code injection

URL:
  <http://savannah.nongnu.org/bugs/?35388>

                 Summary: commentized subjects allow PHP code injection
                 Project: MHonArc
            Submitted by: alvherre
            Submitted on: sáb 28 ene 2012 01:12:27 CLST
                Category: Mail Parsing
                Severity: 3 - Normal
                Priority: 5 - Normal
              Item Group: Security
                  Status: None
                 Privacy: Private
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
        Operating System: Linux
            Perl Version: 5.10.1
       Component Version: 2.6.16
           Fixed Release: 

    _______________________________________________________

Details:

Hi,

It was noticed on the archives.postgresql.org site (which generates mhonarc
archives with some custom PHP code) that people that use "<?php" in the
subject line cause the X-Subject HTML comment to be interpreted as PHP code. 
This causes a PHP injection vulnerability.

(As an example -- until today we used to run with the PHP config option
short_open_tags=on; this makes the interpreter confused merely with <? in the
subject, such as
http://archives.postgresql.org/pgsql-de-allgemein/2011-09/msg00008.php for
instance.  We turned that option off now, but obviously the more general
vulnerability of "<?php" tags still persists).

I think the fix may be something simple as this:


*** ewhutil.pl.orig     2012-01-28 01:08:35.000000000 -0300
--- ewhutil.pl  2012-01-28 01:08:57.000000000 -0300
***************
*** 70,76 ****
  
  sub commentize {
      my($txt) = $_[0];
!     $txt =~ s/([\-&])/'&#'.unpack('C',$1).';'/ge;
      $txt;
  }
  
--- 70,76 ----
  
  sub commentize {
      my($txt) = $_[0];
!     $txt =~ s/([\-&<])/'&#'.unpack('C',$1).';'/ge;
      $txt;
  }
  


However, this would cause all <'s to be escaped, not just the ones that are
part of a <? pair; and I'm not sure if other things would be negatively
affected.

Thoughts?

Note: since this directly affects our running instace, I'd like this issue not
to be made public until we can find some way to fix the problem.




    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?35388>

_______________________________________________
  Mensaje enviado vía/por Savannah
  http://savannah.nongnu.org/

---------------------------------------------------------------------
To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the
message text UNSUBSCRIBE MHONARC-DEV