PHP mail() Message ASCIIZ Byte Truncation

2007.04.01
Credit: Stefan Esser
Risk: Low
Local: Yes
Remote: Yes
CWE: N/A

When the mail() function is called with a message that contains an ASCIIZ byte it considers it the end of the message. PHP applications not filtering ASCIIZ strings from user input before embedding it into the message are therefore vulnerable to arbitrary email truncation. Web applications sending email with PHP's mail() function often craft the email message with a construct like this. $message = "Dear ".$_GET['name']; $message .= "you have successfully ..."; In this example the name is inserted into the email message without further checks. It is obvious that this allows adding a textblock to the email message that is completely under control of the person injecting it. However under normal circumstances the manipulation is obvious, because the original text stays appended to the mail. Unfortunately mail() internally handles the message as a ASCIIZ terminated string and therefore it is possible for an attacker to truncate the text after the inserted text by simply embedding a ASCIIZ character. Proof of concept, exploit or instructions to reproduce A simple test for this vulnerability is the following PHP script: <?php mail("test@domain(dot)com", "Truncation Test", "You will see this message\0but not this"); ?> Notes In articles about email injection one usually only reads about header injection in the additional header parameter but not about this ASCIIZ byte injection that often allows completely replacing the email body with something else and then truncating the end.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top