oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request: PHPMailer Message Injection Vulnerability

From: cve-assign () mitre org
Date: Fri, 4 Dec 2015 23:34:29 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14
This release contains an important security update.
Takeshi Terada discovered that PHPMailer accepted addresses containing line breaks.


Use CVE-2015-8476. Our understanding is that this is not the same as
CVE-2012-0796, which is:

  https://git.moodle.org/gw?p=moodle.git;a=commit;h=62988bf0bbc73df655f51884aaf1f523928abff9

This is related to the same original codebase. The Moodle
class.phpmailer.php file refers to Andy Prevost and Marcus Bointon,
who are listed in the
https://github.com/PHPMailer/PHPMailer/blob/master/README.md History
section. However, 62988bf0bbc73df655f51884aaf1f523928abff9 is about
the From and Sender headers. The change for PHPMailer 5.2.14 is:

  https://github.com/PHPMailer/PHPMailer/commit/6687a96a18b8f12148881e4ddde795ae477284b0

which mentions:

  Reject line breaks in addresses
  Reject line breaks in all commands
  
and gives an attack string beginning with:

  \r\n RCPT TO:websec02 () d mbsd jp\r\n DATA \\\nSubject: spam

This attack string suggests that "MAIL FROM" had already been sent.
Thus, we think the "PHPMailer before 5.2.14" finding is a different
vulnerability.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWYmkCAAoJEL54rhJi8gl5BrUQAJNkrgz/dEqZPZ2JLQ4z5ezr
LXc82Js/NSxRSRuvSOAJPRT/M30fLjwpqRVdAo0Vi0Nqou1+UYCchPs5SydAIT3B
yx9PVf973w1Q0Ee/3EaQZkCzeZQhCeNErTTKtnNuttW1LEqwo19ohcqZ0oTd0MyL
/h1riUtP8L79/XDf13WPbOZDwei3OhLfvEog1fDsHFXUgzOFoK00cTbrHZSf3XkG
a26hd8OkOPClYni8adl6mE20SrDJp02eJRgvqfQe9/JmHJDeNWDQ6q4Ok5XVWNUc
59bEOKq+VhaNru9+7M1rZWY2s48lra1cvKpGAvlWZgyCakpCg7kRS31JDHZuMzo3
9MGNrOyKFhLE1JWy8ug9YN/vG1eb8W19H7CA9Nz50aRagcIuyuerh+ljCMLfCdye
/V65TyQck7JcRG1sgdg+fVSJhXqS/2Ri2FijHHVxA8dNcnp26J0F7uuwLMX9tPjP
kU1/3Gum2noD/Zfh5Gv5HASjSRoCtQzmaPKJfNwZeb4Qv188Rfyi5722mARMo5G8
kSjaDEz2bsNA3D1LbcQBdilRe+KcyyC3zG1ocfBO345F06o5KvwJsWXu8Zv1Bmy4
BU6R1sjGU4ntIZDyPxMVL19wM4wFY69JXJoW50NR6iE7sPo+XW/nhqlVdL9vaWie
q762sA15AGFoDFckU/Aq
=ATt/
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: