Forums / General / email header injection
James Ward
Tuesday 28 November 2006 12:11:36 pm
I've seen a lot of email header injection attempts on the "tip a friend" forms on multiple ez publish installs I am hosting. Is there any known vulnerabilities with these forms which I should be aware of?
working at www.wardnet.com blogging at www.jamesward.ca
Georg Franz
Tuesday 28 November 2006 12:26:20 pm
Hi,
have a look athttp://ez.no/community/forum/general/how_avoid_tip_a_friend_abuse
I was also attacked by a russian spammer. I disabled the tipafriend function.
Best wishes, Georg. -- http://www.schicksal.com Horoskop website which uses eZ Publish since 2004
Claudia Kosny
Wednesday 29 November 2006 11:50:58 am
Hi James
I recently skimmed over some mail classes in EZ and according to my tests the fields for the email addresses of sender and receiver do not pose any problem as the content is validated against a regular expression (which is actually to strict and forbids some valid email addresses as well).
The field for the name of the sender unfortunately seems to be an open door for injection (at least it was on my setup). The same might be true for the name of the receiver, I have not tested this. For now I will just check whether one of these variables contains a linebreak and display an error message if that is the case. I am not sure whether this is sufficient but my mailbox will certainly tell me soon...
Injecting additional message text did not work for me, but I haven't tried to hard. Removing new lines from the name field should hopefully prevent this anyway.
Claudia
Wednesday 29 November 2006 1:14:01 pm
Thanks both for all the information.
Claudia,I am very happy to see someone giving this serious issue the attention it deserves. I don't want to hijack my own thread but perhaps you or someone else has dealt with the issue of user registration being injected to validate without any values for username or email address? I have seen this on a couple of ezpublish sites I run.
Thanks again,James
Friday 01 December 2006 2:53:40 pm
I don't run the sites and was not told of any such problems yet, so I cannot help you there.