A new exploit has been discovered in PHP applications. Applications which take the input from a HTML form, and turn it into an email, may be vulnerable. It's possible to piggy-back a complete spam email in the form, and so turn a legitimate webserver into a spam mailserver. This one's going to be fun to fix, as it's not a PHP bug. PHP apps need to be updated to check for this attack and to block it. I'm not familiar with python/perl web apps, so I can't say whether or not these apps will also be vulnerable to the same basic technique. I'd suggest assuming so until someone proves otherwise :( Best regards, Stu
ok, not quite sure how security handles this, rated B4 because it seems to be a bit of an XSS. web-apps team is about to start a major audit session of all webapps.
Please open new bugs for each (bunch of) package(s). Stuart will you coordinate with webapps?
What makes this attack new ? User input always had to be triplechecked before being used, especially when used to run a system command, send mail or make an SQL query... Next: webapps as a SQL injection tool ? This should be an (open) Auditing bug, I think.
Reassigning to web-apps who are welcome to audit their packages and report vulnerabilities.
Unrestricting so that they can freely access it. Cc:ing security.
Stuart - where do we stand on this? I would imagine this is an upstream issue.
I'm going to go ahead and close as CANTFIX as this is an upstream issue.
