URL:
<http://savannah.nongnu.org/bugs/?35388>
Summary: commentized subjects allow PHP code injection
Project: MHonArc
Submitted by: alvherre
Submitted on: sáb 28 ene 2012 01:12:27 CLST
Category: Mail Parsing
Severity: 3 - Normal
Priority: 5 - Normal
Item Group: Security
Status: None
Privacy: Private
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Operating System: Linux
Perl Version: 5.10.1
Component Version: 2.6.16
Fixed Release:
_______________________________________________________
Details:
Hi,
It was noticed on the archives.postgresql.org site (which generates mhonarc
archives with some custom PHP code) that people that use "<?php" in the
subject line cause the X-Subject HTML comment to be interpreted as PHP code.
This causes a PHP injection vulnerability.
(As an example -- until today we used to run with the PHP config option
short_open_tags=on; this makes the interpreter confused merely with <? in the
subject, such as
http://archives.postgresql.org/pgsql-de-allgemein/2011-09/msg00008.php for
instance. We turned that option off now, but obviously the more general
vulnerability of "<?php" tags still persists).
I think the fix may be something simple as this:
*** ewhutil.pl.orig 2012-01-28 01:08:35.000000000 -0300
--- ewhutil.pl 2012-01-28 01:08:57.000000000 -0300
***************
*** 70,76 ****
sub commentize {
my($txt) = $_[0];
! $txt =~ s/([\-&])/'&#'.unpack('C',$1).';'/ge;
$txt;
}
--- 70,76 ----
sub commentize {
my($txt) = $_[0];
! $txt =~ s/([\-&<])/'&#'.unpack('C',$1).';'/ge;
$txt;
}
However, this would cause all <'s to be escaped, not just the ones that are
part of a <? pair; and I'm not sure if other things would be negatively
affected.
Thoughts?
Note: since this directly affects our running instace, I'd like this issue not
to be made public until we can find some way to fix the problem.
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?35388>
_______________________________________________
Mensaje enviado vía/por Savannah
http://savannah.nongnu.org/
---------------------------------------------------------------------
To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the
message text UNSUBSCRIBE MHONARC-DEV