email header injection

« 
Previous topic
|
General
|
Next topic
 »
Author Message

James Ward

Tuesday 28 November 2006 12:11:36 pm

I've seen a lot of email header injection attempts on the "tip a friend" forms on multiple ez publish installs I am hosting. Is there any known vulnerabilities with these forms which I should be aware of?

working at www.wardnet.com
blogging at www.jamesward.ca

Georg Franz

Tuesday 28 November 2006 12:26:20 pm

Hi,

have a look at
http://ez.no/community/forum/general/how_avoid_tip_a_friend_abuse

I was also attacked by a russian spammer. I disabled the tipafriend function.

Best wishes,
Georg.

--
http://www.schicksal.com Horoskop website which uses eZ Publish since 2004

Claudia Kosny

Wednesday 29 November 2006 11:50:58 am

Hi James

I recently skimmed over some mail classes in EZ and according to my tests the fields for the email addresses of sender and receiver do not pose any problem as the content is validated against a regular expression (which is actually to strict and forbids some valid email addresses as well).

The field for the name of the sender unfortunately seems to be an open door for injection (at least it was on my setup). The same might be true for the name of the receiver, I have not tested this. For now I will just check whether one of these variables contains a linebreak and display an error message if that is the case. I am not sure whether this is sufficient but my mailbox will certainly tell me soon...

Injecting additional message text did not work for me, but I haven't tried to hard. Removing new lines from the name field should hopefully prevent this anyway.

Claudia

James Ward

Wednesday 29 November 2006 1:14:01 pm

Thanks both for all the information.

Claudia,
I am very happy to see someone giving this serious issue the attention it deserves. I don't want to hijack my own thread but perhaps you or someone else has dealt with the issue of user registration being injected to validate without any values for username or email address? I have seen this on a couple of ezpublish sites I run.

Thanks again,
James

working at www.wardnet.com
blogging at www.jamesward.ca

Claudia Kosny

Friday 01 December 2006 2:53:40 pm

Hi James

I don't run the sites and was not told of any such problems yet, so I cannot help you there.

Claudia
Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.