Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 101246 - webapps as a spam relay
Summary: webapps as a spam relay
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Web Application Packages Maintainers
Depends on:
Reported: 2005-08-03 13:20 UTC by Stuart Herbert (RETIRED)
Modified: 2006-01-25 18:53 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Stuart Herbert (RETIRED) gentoo-dev 2005-08-03 13:20:51 UTC
A new exploit has been discovered in PHP applications.  Applications which take
the input from a HTML form, and turn it into an email, may be vulnerable.  It's
possible to piggy-back a complete spam email in the form, and so turn a
legitimate webserver into a spam mailserver.

This one's going to be fun to fix, as it's not a PHP bug.  PHP apps need to be
updated to check for this attack and to block it.

I'm not familiar with python/perl web apps, so I can't say whether or not these
apps will also be vulnerable to the same basic technique.  I'd suggest assuming
so until someone proves otherwise :(

Best regards,
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2005-08-03 14:38:40 UTC
ok, not quite sure how security handles this, rated B4 because it seems to be a
bit of an XSS.

web-apps team is about to start a major audit session of all webapps.
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2005-08-03 22:29:22 UTC
Please open new bugs for each (bunch of) package(s). 
Stuart will you coordinate with webapps? 
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-08-04 00:45:23 UTC
What makes this attack new ? User input always had to be triplechecked before
being used, especially when used to run a system command, send mail or make an
SQL query...

Next: webapps as a SQL injection tool ?

This should be an (open) Auditing bug, I think.
Comment 4 Tavis Ormandy (RETIRED) gentoo-dev 2005-08-04 00:57:37 UTC
Reassigning to web-apps who are welcome to audit their packages and report 
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-08-04 01:03:02 UTC
Unrestricting so that they can freely access it. Cc:ing security.
Comment 6 Renat Lumpau (RETIRED) gentoo-dev 2005-12-15 10:20:18 UTC
Stuart - where do we stand on this? I would imagine this is an upstream issue.
Comment 7 Renat Lumpau (RETIRED) gentoo-dev 2006-01-25 18:53:22 UTC
I'm going to go ahead and close as CANTFIX as this is an upstream issue.