Argument injection vulnerability in the mail function for PHP 4.x to 4.2.2 may allow attackers to bypass safe mode restrictions and modify command line arguments to the MTA (e.g. sendmail) in the 5th argument to mail(), altering MTA behavior and possibly executing commands.

Wojciech Purczynski found out that it is possible for scripts to pass arbitrary text to sendmail as commandline extension when sending a mail through PHP even when safe_mode is turned on. Passing 5th argument should be disabled if PHP is configured in safe_mode, which is the case for newer PHP versions and for the versions below. This does not affect PHP3, though.

Wojciech Purczynski also found out that arbitrary ASCII control characters may be injected into string arguments of the mail() function. If mail() arguments are taken from user's input it may give the user ability to alter message content including mail headers.

Ulf Harnhammar discovered that file() and fopen() are vulnerable to CRLF injection. An attacker could use it to escape certain restrictions and add arbitrary text to alleged HTTP requests that are passed through.

However this only happens if something is passed to these functions which is neither a valid file name nor a valid url. Any string that contains control chars cannot be a valid url. Before you pass a string that should be a url to any function you must use urlencode() to encode it.

Three problems have been identified in PHP :

  - The mail() function can allow arbitrary email headers to     be specified if a recipient address or subject contains     CR/LF characters.
  - The mail() function does not properly disable the     passing of arbitrary command-line options to sendmail     when running in Safe Mode.

  - The fopen() function, when retrieving a URL, can allow     manipulation of the request for the resource through a     URL containing CR/LF characters. For example, headers     could be added to an HTTP request.

These problems have been fixed in version 3.0.18-23.1woody1 for PHP3 and 4.1.2-5 for PHP4 for the current stable distribution (woody), in version 3.0.18-0potato1.2 for PHP3 and 4.0.3pl1-0potato4 for PHP4 in the old stable distribution (potato) and in version 3.0.18-23.2 for PHP3 and 4.2.3-3 for PHP4 for the unstable distribution (sid).

The remote web server is running a version of PHP which is 4.2.2 or older. This version has a bug in its mail() function which does not properly sanitize user input. As a result, users can forge email to make it look like it is coming from a different source that the server.

A vulnerability was discovered in the transparent session ID support in PHP4 prior to version 4.3.2. It did not properly escape user- supplied input prior to inserting it in the generated web page. This could be exploited by an attacker to execute embedded scripts within the context of the generated HTML (CVE-2003-0442).

As well, two vulnerabilities had not been patched in the PHP packages included with Mandrake Linux 8.2: The mail() function did not filter ASCII control filters from its arguments, which could allow an attacker to modify the mail message content (CVE-2002-0986). Another vulnerability in the mail() function would allow a remote attacker to bypass safe mode restrictions and modify the command line arguments passed to the MTA in the fifth argument (CVE-2002-0985).

All users are encouraged to upgrade to these patched packages.

Update :

The packages for Mandrake Linux 8.2 and Multi-Network Firewall 8.2, due to improper BuildRequires did not include mail() support. This update corrects that problem.

The remote host is missing the patch for the advisory SUSE-SA:2002:036 (mod_php4).


PHP is a well known and widely used web programming language.
If a PHP script runs in 'safe mode' several restrictions are applied to it including limits on execution of external programs.

An attacker can pass shell meta-characters or sendmail(8) command line options via the 5th argument (introduced in version 4.0.5) of the mail() function to execute shell commands or control the behavior of sendmail(8).

The CRLF injection vulnerabilities in fopen(), file(), header(), ...
allow an attacker to bypass ACLs or trigger cross-side scripting.

The mod_php4 package is not installed by default.
A temporary fix is not known.

Please note, that the following packages were rebuild too:
- mod_php4-core
- mod_php4-aolserver
- mod_php4-devel
- mod_php4-servlet
- mod_php4-roxen

Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command 'rpm -Fhv file.rpm' to apply the update.

PHP versions up to and including 4.2.2 contain vulnerabilities in the mail() function, allowing local script authors to bypass safe mode restrictions and possibly allowing remote attackers to insert arbitrary mail headers or content.

[Updated 13 Jan 2003] Added fixed packages for the Itanium (IA64) architecture.

[Updated 06 Feb 2003] Added fixed packages for Advanced Workstation 2.1

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP server.

The mail function in PHP 4.x to 4.2.2 may allow local script authors to bypass safe mode restrictions and modify command line arguments to the MTA (such as sendmail) in the 5th argument to mail(), altering MTA behavior and possibly executing arbitrary local commands.

The mail function in PHP 4.x to 4.2.2 does not filter ASCII control characters from its arguments, which could allow remote attackers to modify mail message content, including mail headers, and possibly use PHP as a 'spam proxy.'

Script authors should note that all input data should be checked for unsafe data by any PHP scripts which call functions such as mail().

Note that this PHP errata, as did RHSA-2002:129, enforces memory limits on the size of the PHP process to prevent a badly generated script from becoming a possible source for a denial of service attack.
The default process size is 8Mb, though you can adjust this as you deem necessary through the php.ini directive memory_limit. For example, to change the process memory limit to 4MB, add the following :

memory_limit 4194304

Important Note: There are special instructions you should follow regarding your /etc/php.ini configuration file in the 'Solution' section below.

The remote host is running a version of PHP prior or equal to 4.2.2.

The mail() function does not properly sanitize user input.
This allows users to forge email to make it look like it is coming from a different source other than the server.

Users can exploit this even if SAFE_MODE is enabled.

ID	Name	Product	Family	Severity
15005	Debian DSA-168-1 : php - bypassing safe_mode, CRLF injection	Nessus	Debian Local Security Checks	high
1481	PHP < 4.2.3 Mail Function Header Spoofing	Nessus Network Monitor	Web Servers	medium
14064	Mandrake Linux Security Advisory : php (MDKSA-2003:082-1)	Nessus	Mandriva Local Security Checks	high
13757	SUSE-SA:2002:036: mod_php4	Nessus	SuSE Local Security Checks	high
12326	RHEL 2.1 : php (RHSA-2002:214)	Nessus	Red Hat Local Security Checks	high
11444	PHP Mail Function Header Spoofing	Nessus	CGI abuses	medium
801069	PHP < 4.2.3 Mail Function Header Spoofing	Log Correlation Engine	Web Servers	medium

Detections

Analytics

CVE-2002-0985

critical

Tenable Plugins

high

medium

high

high

high

medium

medium