NYCPHP Meetup

[Daniel Krook]

> Is this exploit PHP specific?  Although I haven't 
> confirmed, the nature of
> the vulnerability would appear to effect any mailing web 
> form, in nearly any
> language.  Can anyone provide additional details?


Hmm,

An interesting question...

>From my experience developing feedback forms in Java using the JavaMail 
API, the "to" or "from" email addresses are of the type 
javax.mail.internet.InternetAddress, which takes a String in its 
constructor and throws an exception (javax.mail.internet.AddressException) 
if the address can not be parsed in RFC822 format (the default):

http://java.sun.com/products/javamail/javadocs/javax/mail/internet/InternetAddress.html#InternetAddress(java.lang.String)

These InternetAddress objects are normally given to an instance of type 
javax.mail.internet.MimeMessage which is itself given an instance of 
javax.mail.Session.   You often set MimeMessage's recipients with methods 
which take InternetAddresses, but can also take raw Strings.

The setSubject method of MimeMessage takes Strings, and it explicitly 
notes in the Javadoc that "The application must ensure that the subject 
does not contain any line breaks", which seems to suggest that it is also 
known to be vulnerable to an exploit of this nature.

http://java.sun.com/products/javamail/javadocs/javax/mail/internet/MimeMessage.html#setSubject(java.lang.String)

So it would seem if you ventured past the parts of the JavaMail API which 
allow you to use Strings, instead of creating InternetAddress objects and 
hardcoding the subject, you would be "safe" from the exploit, but you 
should double check any methods that you are using that expect Strings.





Daniel Krook, Advisory IT Specialist 
Application Development, Production Services - Tools, ibm.com

Personal: http://info.krook.org/
BluePages: http://bluepages.redirect.webahead.ibm.com/
BlogPages: http://blogpages.redirect.webahead.ibm.com/