[Bug 263340] New: VUL-0: php: PMOPB-45-2007:PHP ext/filter Email Validation Vulnerability
https://bugzilla.novell.com/show_bug.cgi?id=263340 Summary: VUL-0: php: PMOPB-45-2007:PHP ext/filter Email Validation Vulnerability Product: openSUSE 10.2 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: anosek@novell.com ReportedBy: meissner@novell.com QAContact: qa@suse.de CC: security-team@suse.de post month of php bugs ... http://www.php-security.org/MOPB/PMOPB-45-2007.html The first Post Month of PHP Bugs vulnerability describes a vulnerability in PHP's new input filtering/validation extension. The FILTER_VALIDATE_EMAIL filter of ext/filter internally uses a wrong regular expression that allows injecting a newline character at the end of the email string. Affected versions Affected is PHP 5.2.0 and PHP 5.2.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=263340 ------- Comment #1 from judas_iscariote@shorewall.net 2007-04-11 13:08 MST ------- not yet fixed, /sapi/cli/php test.php string(17) "test@example.com " shoudld be "bool false". /sapi/cli/php -v PHP 5.2.2RC2-dev (cli) (built: **Apr 11 2007** 15:07:07) (DEBUG) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=263340 ------- Comment #2 from judas_iscariote@shorewall.net 2007-04-11 13:34 MST ------- proposed fix --- ext/filter/logical_filters.c 1 Jan 2007 09:36:00 -0000 1.1.2.21 +++ ext/filter/logical_filters.c 11 Apr 2007 19:13:18 -0000 @@ -469,7 +469,7 @@ void php_filter_validate_email(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */ { /* From http://cvs.php.net/co.php/pear/HTML_QuickForm/QuickForm/Rule/Email.php?r=1.4 */ - const char regexp[] = "/^((\\\"[^\\\"\\f\\n\\r\\t\\b]+\\\")|([\\w\\!\\#\\$\\%\\&\\'\\*\\+\\-\\~\\/\\^\\`\\|\\{\\}]+(\\.[\\w\\!\\#\\$\\%\\&\\'\\*\\+\\-\\~\\/\\^\\`\\|\\{\\}]+)*))@((\\[(((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9])))\\])|(((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9])))|((([A-Za-z0-9\\-])+\\.)+[A-Za-z\\-]+))$/"; + const char regexp[] = "/^((\\\"[^\\\"\\f\\n\\r\\t\\b]+\\\")|([\\w\\!\\#\\$\\%\\&\\'\\*\\+\\-\\~\\/\\^\\`\\|\\{\\}]+(\\.[\\w\\!\\#\\$\\%\\&\\'\\*\\+\\-\\~\\/\\^\\`\\|\\{\\}]+)*))@((\\[(((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9])))\\])|(((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9])))|((([A-Za-z0-9\\-])+\\.)+[A-Za-z\\-]+))$/D"; pcre *re = NULL; pcre_extra *pcre_extra = NULL; (just missing the D modifier) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=263340 lkundrak@redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lkundrak@redhat.com ------- Comment #3 from lkundrak@redhat.com 2007-04-12 01:57 MST ------- Apart from that CVE says that this is a CRLF injection, and \n is not CRLF in GNU/Linux, what is the real risk here? I can't think of any situation when you can inject SMTP commands that can be achieved with just one line break. Though I haven't extensively tested it I am pretty confident, that SMTP server would just complain about malformed RCPT TO: command and refuse to send a message. Which is pretty sane, as there's nothing better than not sending a message when you do not have a valid e-mail address. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=263340 ------- Comment #4 from lnussel@novell.com 2007-04-12 02:04 MST ------- Yeah, calling that a vulnerability sounds like an overstatement. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=263340 ------- Comment #7 from judas_iscariote@shorewall.net 2007-04-12 02:09 MST ------- (In reply to comment #3)
Apart from that CVE says that this is a CRLF injection, and \n is not CRLF in GNU/Linux, what is the real risk here?
I think this issue is pretty minor, yes.
I can't think of any situation when you can inject SMTP commands that can be achieved with just one line break.
Indeed. It may be hard or impossible, even more when this extension is not really widely used in applications ( google code search returns 4 matches (1 being PHP itself) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=263340 ------- Comment #8 from lnussel@novell.com 2007-04-12 02:44 MST ------- CVE-2007-1900 (under review) Status Candidate Description CRLF injection vulnerability in the FILTER_VALIDATE_EMAIL filter in ext/filter in PHP 5.2.0 and 5.2.1 allows context-dependent attackers to inject arbitrary e-mail headers via an e-mail address with a '\n' character, which causes a regular expression to ignore the subsequent part of the address string. [14]References * MISC:http://www.php-security.org/MOPB/PMOPB-45-2007.html * BID:23359 * URL:http://www.securityfocus.com/bid/23359 * SECUNIA:24824 * URL:http://secunia.com/advisories/24824 Phase Assigned (20070410) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=263340
------- Comment #9 from lkundrak@redhat.com 2007-04-12 05:12 MST -------
$ cat php.ini
extension=filter.so
sendmail_path=/bin/cat
$ cat PMOPB-45-2007.php
<?php
require_once 'Mail.php';
$address = "usser@example.com\n\n\n";
$subject = 'PMOPB-45-2007';
$body = "Hugs and kisses to Stefan!";
$mailers = array (
'mail' => Mail::factory('mail'),
'sendmail' => Mail::factory('sendmail', array(
'sendmail_path' => '/bin/cat',
'sendmail_args' => '; true')),
'smtp' => Mail::factory('smtp', array(
'debug' => TRUE))
);
foreach ($mailers as $backend => $mailer) {
echo ("===== $backend backend =====\n");
$mailer->send($address, array(
'Subject' => $subject,
'To' => $address,
'From' => 'anotheruser@example.com'),
$body);
echo ("\n");
}
?>
$ php PMOPB-45-2007.php
===== mail backend =====
To: usser@example.com
Subject: PMOPB-45-2007
From: anotheruser@example.com
Hugs and kisses to Stefan!
===== sendmail backend =====
Subject: PMOPB-45-2007
To: usser@example.com
From: anotheruser@example.com
Hugs and kisses to Stefan!
===== smtp backend =====
DEBUG: Recv: 220 pluto.brq.redhat.com ESMTP Postfix
DEBUG: Send: EHLO localhost
DEBUG: Recv: 250-pluto.brq.redhat.com
DEBUG: Recv: 250-PIPELINING
DEBUG: Recv: 250-SIZE 10240000
DEBUG: Recv: 250-VRFY
DEBUG: Recv: 250-ETRN
DEBUG: Recv: 250-ENHANCEDSTATUSCODES
DEBUG: Recv: 250-8BITMIME
DEBUG: Recv: 250 DSN
DEBUG: Send: MAIL FROM:
https://bugzilla.novell.com/show_bug.cgi?id=263340 ------- Comment #10 from lkundrak@redhat.com 2007-04-12 09:03 MST ------- Oh, and when it comes to SMTP, the extra blank line does no harm, except for "500 5.5.2 Error: bad syntax" error code returned by the server (at least postfix). Moreover, sendmail command from both Postfix and Sendmail remove leading and trailing whitespace from email address given as command line arguments. Obviously, sesser spared his best issue for the end of the MOPB. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=263340 anosek@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Comment #11 from anosek@novell.com 2007-04-26 06:26 MST ------- Created patches for 10.2 and Stable: php-*-CVE-2007-1900.patch -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=263340 ------- Comment #12 from judas_iscariote@shorewall.net 2007-04-26 06:29 MST ------- and official fix has not been commited to the PHP CVS. I'll check why ... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=263340 anosek@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|anosek@novell.com |security-team@suse.de Status|ASSIGNED |NEW ------- Comment #13 from anosek@novell.com 2007-05-02 10:29 MST ------- Submitted fixed packages. This bug was fixed in: php5-10.2 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=263340 lnussel@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO| |270938 nThis| | Status|NEW |RESOLVED Resolution| |FIXED ------- Comment #14 from lnussel@novell.com 2007-05-03 08:41 MST ------- tracked in #270938 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=263340 ------- Comment #15 from judas_iscariote@shorewall.net 2007-05-04 00:23 MST ------- identical fix applied to PHP CVS, not part of PHP 5.2.2 though ( I wonder why it is not there..) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=263340 ------- Comment #16 from judas_iscariote@shorewall.net 2007-05-04 04:23 MST ------- fixed in buildservice too ( to be merged to Factory when possible) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com