NYCPHP Meetup

NYPHP.org

[nycphp-talk] worm/virus's hammering feedback scripts?POLISHED VERSION

Hans Zaunere lists at zaunere.com
Wed Sep 14 07:16:29 EDT 2005 


Daniel Krook scribbled on Monday, September 12, 2005 11:43 PM:
> > Is this exploit PHP specific?  Although I haven't
> > confirmed, the nature of
> > the vulnerability would appear to effect any mailing web
> > form, in nearly any
> > language.  Can anyone provide additional details?
> 
> 
> Hmm,
> 
> An interesting question...
> 
> > From my experience developing feedback forms in Java using the
> > JavaMail 
> API, the "to" or "from" email addresses are of the type
> javax.mail.internet.InternetAddress, which takes a String in its
> constructor and throws an exception
> (javax.mail.internet.AddressException) if the address can not be
> parsed in RFC822 format (the default): 
> 
>
http://java.sun.com/products/javamail/javadocs/javax/mail/internet/InternetA
ddress.html#InternetAddress(java.lang.String)
> 
> These InternetAddress objects are normally given to an instance of
> type javax.mail.internet.MimeMessage which is itself given an
> instance of javax.mail.Session.   You often set MimeMessage's
> recipients with methods which take InternetAddresses, but can also
> take raw Strings. 
> 
> The setSubject method of MimeMessage takes Strings, and it explicitly
> notes in the Javadoc that "The application must ensure that the
> subject does not contain any line breaks", which seems to suggest
> that it is also known to be vulnerable to an exploit of this nature.
> 
>
http://java.sun.com/products/javamail/javadocs/javax/mail/internet/MimeMessa
ge.html#setSubject(java.lang.String)
> 
> So it would seem if you ventured past the parts of the JavaMail API
> which allow you to use Strings, instead of creating InternetAddress
> objects and hardcoding the subject, you would be "safe" from the
> exploit, but you should double check any methods that you are using
> that expect Strings.

Good point - looks like justification for a wrapper class for the mail()
function in PHP.

We're working on getting a Phundamentals article online covering the
discussion over the last couple of days.  Thanks Roland and everyone for
their feedback and discussion.


---
Hans Zaunere / President / New York PHP
   www.nyphp.org  /  www.nyphp.com

More information about the talk mailing list