CVE 2016 10033 and CVE 2016 10045

2 years ago

tempname
Member | 1
+
+3
-

Hello

is nette/mail safe from recent mail()/sendmail -f vulnerability that affected PHPMailer, SwiftMailer (used by Symfony, Laravel), CodeIgniter… see affected projects

https://github.com/…nerabilities
http://legalhackers.com/…33-Vuln.html
https://gist.github.com/…eaa11af9ab36

This:

Nette\Utils\Validators::isEmail('"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php  some"@email.com')

returns true (it's a valid email according to RFC 3696) but it is still safe to use as “From:” because nette/mail does not set sender (-f option of sendmail). Is it correct?

Last edited by tempname (2016-12-29 18:17)

2 years ago

David Grudl
Nette Core | 6846
+
0
-

Yes, it doesn't use -f so it should be not affected.

2 years ago

SV
Member | 1
+
+2
-

People should be aware not to use dangerous email addresses as 5th param of mail() function.

This will work and can be dangerous on servers with original sendmail (not postfix etc.):

$email = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php  some"@email.com';

if (Nette\Utils\Validators::isEmail($email)) {
   mail($to, $subject, $message, '', "-f$email");
}

This will not work: filter_var() is more strict than nette's email validator and returns false:

$email = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php  some"@email.com';

if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
   mail($to, $subject, $message, '', "-f$email");
}

2 years ago

Milo
Nette Core | 1146
+
0
-

SV wrote:

People should be aware not to use dangerous email addresses as 5th param of mail() function.

This will work and can be dangerous on servers with original sendmail (not postfix etc.):

$email = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php  some"@email.com';

if (Nette\Utils\Validators::isEmail($email)) {
   mail($to, $subject, $message, '', "-f$email");
}


It is dangerous as any other shell call. Arguments must be properly escaped:

mail(..., '-f' . escapeshellarg($email));

Edit: Huh, it is much more dangerous. Thanks @JanTvrdík

2 years ago

Jan Tvrdík
Nette guru | 2550
+
+3
-

@Milo One of the problem is that escapeshellarg escape arguments properly only in some cases. See https://gist.github.com/…eaa11af9ab36 for explanation.