PHP mail() function ASCII injection

php-mail-ascii-injection (9959)

Low Risk

Description:

The mail() function in PHP fails to properly filter user-supplied input. This could allow a remote attacker to inject ASCII control characters to spoof email headers.

Platforms Affected:

• Debian, Debian Linux 2.2
• Debian, Debian Linux 3.0
• Gentoo, Linux
• MandrakeSoft, Mandrake Linux 8.2 PPC
• MandrakeSoft, Mandrake Linux 8.2
• MandrakeSoft, Mandrake Linux 9.0
• MandrakeSoft, Mandrake Linux 9.1 PPC
• MandrakeSoft, Mandrake Linux 9.1
• MandrakeSoft, Mandrake Linux Corporate Server 2.1
• MandrakeSoft, Mandrake Linux Corporate Server 2.1 X86_64
• MandrakeSoft, Mandrake Multi Network Firewall 8.2
• OpenPKG, OpenPKG 1.1
• OpenPKG, OpenPKG 1.2
• OpenPKG, OpenPKG CURRENT
• PHP, PHP 3.0
• PHP, PHP 4.0 RC1
• PHP, PHP 4.0 Beta1
• PHP, PHP 4.0 RC2
• PHP, PHP 4.0 Beta 4 Patch1
• PHP, PHP 4.0
• PHP, PHP 4.0 Beta2
• PHP, PHP 4.0 Beta3
• PHP, PHP 4.0 Beta4
• PHP, PHP 4.0.0
• PHP, PHP 4.0.1
• PHP, PHP 4.0.2
• PHP, PHP 4.0.3
• PHP, PHP 4.0.4
• PHP, PHP 4.0.5
• PHP, PHP 4.0.6
• PHP, PHP 4.0.7
• PHP, PHP 4.1.0
• PHP, PHP 4.1.1
• PHP, PHP 4.1.2
• PHP, PHP 4.1.3
• PHP, PHP 4.2.0
• PHP, PHP 4.2.1
• PHP, PHP 4.2.2
• RedHat, Enterprise Linux 2.1 AS
• RedHat, Linux 7
• RedHat, Linux 7.1
• RedHat, Linux 7.1 for iSeries
• RedHat, Linux 7.1 for pSeries
• RedHat, Linux 7.2
• RedHat, Linux 7.3
• RedHat, Linux Advanced Workstation 2.1 Itanium
• RedHat, Stronghold

Remedy:

Upgrade to the latest version of PHP (4.2.3 or later), available from the PHP Web site. See References.

For Debian GNU/Linux:
Upgrade to the latest PHP3 or PHP4 package, as listed below. Refer to DSA-168-1 for more information. See References.

Debian GNU/Linux 2.2 (potato) for PHP3: 3.0.18-0potato1.2 or later
Debian GNU/Linux 2.2 (potato) for PHP4: 4.0.3pl1-0potato4 or later
Debian GNU/Linux 3.0 (woody) for PHP3: 3.0.18-23.1woody1 or later
Debian GNU/Linux 3.0 (woody) for PHP4: 4.1.2-5 or later

For Red Hat Linux:
Upgrade to the latest PHP package, as listed below. Refer to RHSA-2002:213-06 for more information. See References.

Red Hat 7.0: 4.1.2-7.0.6 or later
Red Hat 7.1: 4.1.2-7.1.6 or later
Red Hat 7.2: 4.1.2-7.2.6 or later
Red Hat 7.3: 4.1.2-7.3.6 or later

For Conectiva Linux:
Upgrade to the latest PHP3 and PHP4 packages, as listed below. Refer to Conectiva Linux Announcement CLSA-2002:545 for more information. See References.

PHP3:
Conectiva Linux 6.0: 3.0.18-9U60_2cl or later
Conectiva Linux 7.0: 3.0.18-10U70_1cl or later

PHP4:
Conectiva Linux 6.0: 4.0.4pl1-2U60_3cl or later
Conectiva Linux 7.0: 4.1.1-1U70_5cl or later
Conectiva Linux 8.0: 4.1.1-7U80_1cl or later

For Gentoo Linux:
Upgrade versions dev-php/php-4.2.2-r1 and/or dev-php/mod_php-4.2.2-r1 and earlier, as listed in Gentoo Linux Security Announcement 200211-005. See References.

For OpenPKG:
Upgrade to the latest php package, as listed below. Refer to OpenPKG Security Advisory OpenPKG-SA-2003.032-php for more information. See References.

OpenPKG CURRENT: 4.3.2-20030529 or later
OpenPKG 1.1: 4.2.2-1.1.2 or later

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Bypass Security

References:

• BugTraq Mailing List, Fri Aug 23 2002 - 02:30:40 CDT, PHP: Bypass safe_mode and inject ASCII control chars with mail() at http://archives.neohapsis.com/archives/bugtraq/2002-08/0248.html.
• Conectiva Linux Announcement CLSA-2002:545, Safe mode bypass and other vulnerabilities at http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000545.
• Gentoo Linux Security Announcement 200211-005, buffer overflow at http://www.linuxsecurity.com/content/view/104356/109/.
• PHP Group Web site, PHP 4 ChangeLog at http://www.php.net/ChangeLog-4.php.
• PHP Group Web site, PHP: Downloads at http://www.php.net/downloads.php.
• BID-5562: PHP Mail Function ASCII Control Character Header Spoofing Vulnerability
• CVE-2002-0986: The mail function in PHP 4.x to 4.2.2 does not filter ASCII control characters from its arguments, which could allow remote attackers to modify mail message content, including mail headers, and possibly use PHP as a spam proxy.
• DSA-168: php -- bypassing safe_mode
• MDKSA-2003:082: Updated php packages fix vulnerabilities
• MDKSA-2003:082-1: Updated php packages fix vulnerabilities
• OpenPKG-SA-2003.032: PHP
• OSVDB ID: 2160: PHP Function CRLF Injection
• RHSA-2002-213: New PHP packages fix vulnerability in mail function
• RHSA-2002-214: php security update
• RHSA-2002-248: apache
• RHSA-2003-159: New PHP packages fix vulnerabilities
• US-CERT VU#410609: PHP fails to filter ASCII control characters from string arguments of mail() function

Reported:

Aug 23, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page