Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri,  4 Dec 2015 23:34:29 -0500 (EST)
From: cve-assign@...re.org
To: gsunde.orangen@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: PHPMailer Message Injection Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14
> This release contains an important security update.
> Takeshi Terada discovered that PHPMailer accepted addresses containing line breaks.

Use CVE-2015-8476. Our understanding is that this is not the same as
CVE-2012-0796, which is:

  https://git.moodle.org/gw?p=moodle.git;a=commit;h=62988bf0bbc73df655f51884aaf1f523928abff9

This is related to the same original codebase. The Moodle
class.phpmailer.php file refers to Andy Prevost and Marcus Bointon,
who are listed in the
https://github.com/PHPMailer/PHPMailer/blob/master/README.md History
section. However, 62988bf0bbc73df655f51884aaf1f523928abff9 is about
the From and Sender headers. The change for PHPMailer 5.2.14 is:

  https://github.com/PHPMailer/PHPMailer/commit/6687a96a18b8f12148881e4ddde795ae477284b0

which mentions:

  Reject line breaks in addresses
  Reject line breaks in all commands
  
and gives an attack string beginning with:

  \r\n RCPT TO:websec02@...bsd.jp\r\n DATA \\\nSubject: spam

This attack string suggests that "MAIL FROM" had already been sent.
Thus, we think the "PHPMailer before 5.2.14" finding is a different
vulnerability.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWYmkCAAoJEL54rhJi8gl5BrUQAJNkrgz/dEqZPZ2JLQ4z5ezr
LXc82Js/NSxRSRuvSOAJPRT/M30fLjwpqRVdAo0Vi0Nqou1+UYCchPs5SydAIT3B
yx9PVf973w1Q0Ee/3EaQZkCzeZQhCeNErTTKtnNuttW1LEqwo19ohcqZ0oTd0MyL
/h1riUtP8L79/XDf13WPbOZDwei3OhLfvEog1fDsHFXUgzOFoK00cTbrHZSf3XkG
a26hd8OkOPClYni8adl6mE20SrDJp02eJRgvqfQe9/JmHJDeNWDQ6q4Ok5XVWNUc
59bEOKq+VhaNru9+7M1rZWY2s48lra1cvKpGAvlWZgyCakpCg7kRS31JDHZuMzo3
9MGNrOyKFhLE1JWy8ug9YN/vG1eb8W19H7CA9Nz50aRagcIuyuerh+ljCMLfCdye
/V65TyQck7JcRG1sgdg+fVSJhXqS/2Ri2FijHHVxA8dNcnp26J0F7uuwLMX9tPjP
kU1/3Gum2noD/Zfh5Gv5HASjSRoCtQzmaPKJfNwZeb4Qv188Rfyi5722mARMo5G8
kSjaDEz2bsNA3D1LbcQBdilRe+KcyyC3zG1ocfBO345F06o5KvwJsWXu8Zv1Bmy4
BU6R1sjGU4ntIZDyPxMVL19wM4wFY69JXJoW50NR6iE7sPo+XW/nhqlVdL9vaWie
q762sA15AGFoDFckU/Aq
=ATt/
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ