Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 101246

Summary: webapps as a spam relay
Product: Gentoo Linux Reporter: Stuart Herbert (RETIRED) <stuart>
Component: Current packagesAssignee: Gentoo Web Application Packages Maintainers <web-apps>
Status: RESOLVED CANTFIX    
Severity: normal CC: ramereth, security, tomk
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.php.net/manual/en/ref.mail.php#55256
Whiteboard:
Package list:
Runtime testing required: ---

Description Stuart Herbert (RETIRED) gentoo-dev 2005-08-03 13:20:51 UTC
A new exploit has been discovered in PHP applications.  Applications which take
the input from a HTML form, and turn it into an email, may be vulnerable.  It's
possible to piggy-back a complete spam email in the form, and so turn a
legitimate webserver into a spam mailserver.

This one's going to be fun to fix, as it's not a PHP bug.  PHP apps need to be
updated to check for this attack and to block it.

I'm not familiar with python/perl web apps, so I can't say whether or not these
apps will also be vulnerable to the same basic technique.  I'd suggest assuming
so until someone proves otherwise :(

Best regards,
Stu
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2005-08-03 14:38:40 UTC
ok, not quite sure how security handles this, rated B4 because it seems to be a
bit of an XSS.

web-apps team is about to start a major audit session of all webapps.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-03 22:29:22 UTC
Please open new bugs for each (bunch of) package(s). 
 
Stuart will you coordinate with webapps? 
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-08-04 00:45:23 UTC
What makes this attack new ? User input always had to be triplechecked before
being used, especially when used to run a system command, send mail or make an
SQL query...

Next: webapps as a SQL injection tool ?

This should be an (open) Auditing bug, I think.
Comment 4 Tavis Ormandy (RETIRED) gentoo-dev 2005-08-04 00:57:37 UTC
Reassigning to web-apps who are welcome to audit their packages and report 
vulnerabilities.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-08-04 01:03:02 UTC
Unrestricting so that they can freely access it. Cc:ing security.
Comment 6 Renat Lumpau (RETIRED) gentoo-dev 2005-12-15 10:20:18 UTC
Stuart - where do we stand on this? I would imagine this is an upstream issue.
Comment 7 Renat Lumpau (RETIRED) gentoo-dev 2006-01-25 18:53:22 UTC
I'm going to go ahead and close as CANTFIX as this is an upstream issue.