A new exploit has been discovered in PHP applications. Applications which take
the input from a HTML form, and turn it into an email, may be vulnerable. It's
possible to piggy-back a complete spam email in the form, and so turn a
legitimate webserver into a spam mailserver.
This one's going to be fun to fix, as it's not a PHP bug. PHP apps need to be
updated to check for this attack and to block it.
I'm not familiar with python/perl web apps, so I can't say whether or not these
apps will also be vulnerable to the same basic technique. I'd suggest assuming
so until someone proves otherwise :(
ok, not quite sure how security handles this, rated B4 because it seems to be a
bit of an XSS.
web-apps team is about to start a major audit session of all webapps.
Please open new bugs for each (bunch of) package(s).
Stuart will you coordinate with webapps?
What makes this attack new ? User input always had to be triplechecked before
being used, especially when used to run a system command, send mail or make an
Next: webapps as a SQL injection tool ?
This should be an (open) Auditing bug, I think.
Reassigning to web-apps who are welcome to audit their packages and report
Unrestricting so that they can freely access it. Cc:ing security.
Stuart - where do we stand on this? I would imagine this is an upstream issue.
I'm going to go ahead and close as CANTFIX as this is an upstream issue.