The mail function in PHP 4.x to 4.2.2 does not filter ASCII control characters from its arguments, which could allow remote attackers to modify mail message content, including mail headers, and possibly use PHP as a "spam proxy."

Wojciech Purczynski found out that it is possible for scripts to pass arbitrary text to sendmail as commandline extension when sending a mail through PHP even when safe_mode is turned on. Passing 5th argument should be disabled if PHP is configured in safe_mode, which is the case for newer PHP versions and for the versions below. This does not affect PHP3, though.

Wojciech Purczynski also found out that arbitrary ASCII control characters may be injected into string arguments of the mail() function. If mail() arguments are taken from user's input it may give the user ability to alter message content including mail headers.

Ulf Harnhammar discovered that file() and fopen() are vulnerable to CRLF injection. An attacker could use it to escape certain restrictions and add arbitrary text to alleged HTTP requests that are passed through.

However this only happens if something is passed to these functions which is neither a valid file name nor a valid url. Any string that contains control chars cannot be a valid url. Before you pass a string that should be a url to any function you must use urlencode() to encode it.

Three problems have been identified in PHP :

  - The mail() function can allow arbitrary email headers to     be specified if a recipient address or subject contains     CR/LF characters.
  - The mail() function does not properly disable the     passing of arbitrary command-line options to sendmail     when running in Safe Mode.

  - The fopen() function, when retrieving a URL, can allow     manipulation of the request for the resource through a     URL containing CR/LF characters. For example, headers     could be added to an HTTP request.

These problems have been fixed in version 3.0.18-23.1woody1 for PHP3 and 4.1.2-5 for PHP4 for the current stable distribution (woody), in version 3.0.18-0potato1.2 for PHP3 and 4.0.3pl1-0potato4 for PHP4 in the old stable distribution (potato) and in version 3.0.18-23.2 for PHP3 and 4.2.3-3 for PHP4 for the unstable distribution (sid).

The remote web server is running a version of PHP which is 4.2.2 or older. This version has a bug in its mail() function which does not properly sanitize user input. As a result, users can forge email to make it look like it is coming from a different source that the server.

The remote host is running a version of PHP which is older than 4.2.2. This version has a bug which allows an attacker to disable the remote server or execute arbitrary code on it.

A vulnerability was discovered in the transparent session ID support in PHP4 prior to version 4.3.2. It did not properly escape user- supplied input prior to inserting it in the generated web page. This could be exploited by an attacker to execute embedded scripts within the context of the generated HTML (CVE-2003-0442).

As well, two vulnerabilities had not been patched in the PHP packages included with Mandrake Linux 8.2: The mail() function did not filter ASCII control filters from its arguments, which could allow an attacker to modify the mail message content (CVE-2002-0986). Another vulnerability in the mail() function would allow a remote attacker to bypass safe mode restrictions and modify the command line arguments passed to the MTA in the fifth argument (CVE-2002-0985).

All users are encouraged to upgrade to these patched packages.

Update :

The packages for Mandrake Linux 8.2 and Multi-Network Firewall 8.2, due to improper BuildRequires did not include mail() support. This update corrects that problem.

PHP versions up to and including 4.2.2 contain vulnerabilities in the mail() function, allowing local script authors to bypass safe mode restrictions and possibly allowing remote attackers to insert arbitrary mail headers or content.

[Updated 13 Jan 2003] Added fixed packages for the Itanium (IA64) architecture.

[Updated 06 Feb 2003] Added fixed packages for Advanced Workstation 2.1

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP server.

The mail function in PHP 4.x to 4.2.2 may allow local script authors to bypass safe mode restrictions and modify command line arguments to the MTA (such as sendmail) in the 5th argument to mail(), altering MTA behavior and possibly executing arbitrary local commands.

The mail function in PHP 4.x to 4.2.2 does not filter ASCII control characters from its arguments, which could allow remote attackers to modify mail message content, including mail headers, and possibly use PHP as a 'spam proxy.'

Script authors should note that all input data should be checked for unsafe data by any PHP scripts which call functions such as mail().

Note that this PHP errata, as did RHSA-2002:129, enforces memory limits on the size of the PHP process to prevent a badly generated script from becoming a possible source for a denial of service attack.
The default process size is 8Mb, though you can adjust this as you deem necessary through the php.ini directive memory_limit. For example, to change the process memory limit to 4MB, add the following :

memory_limit 4194304

Important Note: There are special instructions you should follow regarding your /etc/php.ini configuration file in the 'Solution' section below.

The remote host is running a version of PHP prior or equal to 4.2.2.

The mail() function does not properly sanitize user input.
This allows users to forge email to make it look like it is coming from a different source other than the server.

Users can exploit this even if SAFE_MODE is enabled.

The remote host is running a version of PHP earlier than 4.2.2.

The new POST handling system in PHP 4.2.0 and 4.2.1 has a bug which allows an attacker to disable the remote server or to compromise it.

ID	Name	Product	Family	Severity
15005	Debian DSA-168-1 : php - bypassing safe_mode, CRLF injection	Nessus	Debian Local Security Checks	high
1481	PHP < 4.2.3 Mail Function Header Spoofing	Nessus Network Monitor	Web Servers	medium
1476	PHP < 4.2.2 Malformed POST Requests	Nessus Network Monitor	Web Servers	high
14064	Mandrake Linux Security Advisory : php (MDKSA-2003:082-1)	Nessus	Mandriva Local Security Checks	high
12326	RHEL 2.1 : php (RHSA-2002:214)	Nessus	Red Hat Local Security Checks	high
11444	PHP Mail Function Header Spoofing	Nessus	CGI abuses	medium
11050	PHP < 4.2.x mail Function CRLF Injection	Nessus	CGI abuses	high

Detections

Analytics

CVE-2002-0986

high

Tenable Plugins

high

medium

high

high

high

medium

high