Red Hat Bugzilla – Bug 540842
CVE-2009-4023 CVE-2009-4111 php-pear-Mail: Absent sanitization of mail header fields
Last modified: 2010-12-21 17:04:57 EST
PEAR's Mail class did not properly escape content of mail header fields,
when using the sendmail backend. A remote attacker could send an email
message, with specially-crafted headers to local user, leading to
disclosure of content and potentially, to modification of arbitrary
system file, once the email message was processed by the PEAR's Mail
Please pay attention also to comment:
[2009-11-21 08:19 UTC] rgeissert (Raphael Geissert)
which suggest the proposed patch might be incomplete.
$from = "From: " . $_REQUEST['email'] . "\r\n";
$to = "email@example.com";
$subj = "subscription request";
$body = "subscribe me"; $hdrs = array(
"To" => $to,
"Cc" => $cc,
"Bcc" => $bcc,
"From" => $from,
"Subject" => $subject,
$mail =& Mail::factory('sendmail');
$mail->send($to, $hdrs, $body);
Note: You might need to change the patch to ':/usr/share/pear/:'.
After this I can view the content of my /etc/passwd with
some add-ons as /tmp/wokao.
This issue affects the versions of the php-pear-Mail package, as shipped
with Fedora release of 10, 11, 12 and as shipped with Extra Packages
for Enteprise Linux 5 (EPEL-5) project.
This is CVE-2009-4023.
php-pear-Mail-1.1.14-5.el5.1 has been submitted as an update for Fedora EPEL 5.
Common Vulnerabilities and Exposures assigned a separate identifier of CVE-2009-4111 for the missing sanitization of the $recipients header of php-pear-Mail:
Argument injection vulnerability in Mail/sendmail.php in the Mail
package 1.1.14, 1.2.0b2, and possibly other versions for PEAR allows
remote attackers to read and write arbitrary files via a crafted
$recipients parameter, and possibly other parameters, a different
vulnerability than CVE-2009-4023.
php-pear-Mail-1.1.14-5.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
php-pear-Mail-1.1.14-5.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
php-pear-Mail-1.1.14-5.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
php-pear-Mail-1.1.14-5.el5.1 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.