ID CVE-2005-3883
Summary CRLF injection vulnerability in the mb_send_mail function in PHP before 5.1.0 might allow remote attackers to inject arbitrary e-mail headers via line feeds (LF) in the "To" address argument.
References
Vulnerable Configurations
  • PHP 4.0.6 -
    cpe:2.3:a:php:php:4.0.6
  • PHP 4.0.7 -
    cpe:2.3:a:php:php:4.0.7
  • PHP 4.0.7 Release Candidate 1
    cpe:2.3:a:php:php:4.0.7:rc1
  • PHP 4.0.7 Release Candidate 2
    cpe:2.3:a:php:php:4.0.7:rc2
  • PHP 4.0.7 Release Candidate 3
    cpe:2.3:a:php:php:4.0.7:rc3
  • PHP 4.1.0 -
    cpe:2.3:a:php:php:4.1.0
  • PHP PHP 4.1.1
    cpe:2.3:a:php:php:4.1.1
  • PHP PHP 4.1.2
    cpe:2.3:a:php:php:4.1.2
  • cpe:2.3:a:php:php:4.2:-:dev
    cpe:2.3:a:php:php:4.2:-:dev
  • PHP 4.2.0 -
    cpe:2.3:a:php:php:4.2.0
  • PHP 4.2.1 -
    cpe:2.3:a:php:php:4.2.1
  • PHP PHP 4.2.2
    cpe:2.3:a:php:php:4.2.2
  • PHP 4.2.3 -
    cpe:2.3:a:php:php:4.2.3
  • PHP 4.3.0 -
    cpe:2.3:a:php:php:4.3.0
  • PHP PHP 4.3.1
    cpe:2.3:a:php:php:4.3.1
  • PHP 4.3.2 -
    cpe:2.3:a:php:php:4.3.2
  • PHP 4.3.3 -
    cpe:2.3:a:php:php:4.3.3
  • PHP 4.3.4 -
    cpe:2.3:a:php:php:4.3.4
  • PHP 4.3.5 -
    cpe:2.3:a:php:php:4.3.5
  • PHP 4.3.6 -
    cpe:2.3:a:php:php:4.3.6
  • PHP 4.3.7 -
    cpe:2.3:a:php:php:4.3.7
  • PHP PHP 4.3.8
    cpe:2.3:a:php:php:4.3.8
  • PHP PHP 4.3.9
    cpe:2.3:a:php:php:4.3.9
  • PHP 4.3.10 -
    cpe:2.3:a:php:php:4.3.10
  • PHP 4.3.11 -
    cpe:2.3:a:php:php:4.3.11
  • PHP 4.4.0 -
    cpe:2.3:a:php:php:4.4.0
  • PHP 4.4.1 -
    cpe:2.3:a:php:php:4.4.1
  • cpe:2.3:a:php:php:5.0:rc1
    cpe:2.3:a:php:php:5.0:rc1
  • cpe:2.3:a:php:php:5.0:rc2
    cpe:2.3:a:php:php:5.0:rc2
  • cpe:2.3:a:php:php:5.0:rc3
    cpe:2.3:a:php:php:5.0:rc3
  • PHP 5.0.0 -
    cpe:2.3:a:php:php:5.0.0
  • PHP 5.0.1 -
    cpe:2.3:a:php:php:5.0.1
  • PHP 5.0.2 -
    cpe:2.3:a:php:php:5.0.2
  • PHP 5.0.3 -
    cpe:2.3:a:php:php:5.0.3
  • PHP 5.0.4 -
    cpe:2.3:a:php:php:5.0.4
  • PHP 5.0.5 -
    cpe:2.3:a:php:php:5.0.5
CVSS
Base: 5.0 (as of 29-11-2005 - 08:16)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-238.NASL
    description A CRLF injection vulnerability in the mb_send_mail function in PHP before 5.1.0 might allow remote attackers to inject arbitrary e-mail headers via line feeds (LF) in the 'To' address argument, when using sendmail as the MTA (mail transfer agent). The updated packages have been patched to address this issue. Once the new packages have been installed, you will need to restart your Apache server using 'service httpd restart' in order for the new packages to take effect.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 20469
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20469
    title Mandrake Linux Security Advisory : php (MDKSA-2005:238)
  • NASL family CGI abuses
    NASL id PHP_5_1_0.NASL
    description According to its banner, the version of PHP 5.x installed on the remote host is older than 5.1.0. Such versions may be affected by multiple vulnerabilities : - A cross-site scripting vulnerability exists in phpinfo(). - Multiple safe_mode/open_basedir bypass vulnerabilities exist in ext/curl and ext/gd. - It is possible to overwrite $GLOBALS due to an issue in file upload handling, extract(), and import_request_variables(). - An issue exists when a request is terminated due to memory_limit constraints during certain parse_str() calls, which could lead to register globals being turned on. - An issue exists with trailing slashes in allowed basedirs. - An issue exists with calling virtual() on Apache 2, which allows an attacker to bypass certain configuration directives like safe_mode or open_basedir. - A possible header injection exists in the mb_send_mail() function. - The apache2handler SAPI in the Apache module allows attackers to cause a denial of service.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 17711
    published 2011-11-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17711
    title PHP 5.x < 5.1.0 Multiple Vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0276.NASL
    description Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. The phpinfo() PHP function did not properly sanitize long strings. An attacker could use this to perform cross-site scripting attacks against sites that have publicly-available PHP scripts that call phpinfo(). (CVE-2006-0996) The html_entity_decode() PHP function was found to not be binary safe. An attacker could use this flaw to disclose a certain part of the memory. In order for this issue to be exploitable the target site would need to have a PHP script which called the 'html_entity_decode()' function with untrusted input from the user and displayed the result. (CVE-2006-1490) The error handling output was found to not properly escape HTML output in certain cases. An attacker could use this flaw to perform cross-site scripting attacks against sites where both display_errors and html_errors are enabled. (CVE-2006-0208) An input validation error was found in the 'mb_send_mail()' function. An attacker could use this flaw to inject arbitrary headers in a mail sent via a script calling the 'mb_send_mail()' function where the 'To' parameter can be controlled by the attacker. (CVE-2005-3883) A buffer overflow flaw was discovered in uw-imap, the University of Washington's IMAP Server. php-imap is compiled against the static c-client libraries from imap and therefore needed to be recompiled against the fixed version. This issue only affected Red Hat Enterprise Linux 3. (CVE-2005-2933). Users of PHP should upgrade to these updated packages, which contain backported patches that resolve these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 21287
    published 2006-04-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21287
    title RHEL 3 / 4 : php (RHSA-2006:0276)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-232-1.NASL
    description Eric Romang discovered a local Denial of Service vulnerability in the handling of the 'session.save_path' parameter in PHP's Apache 2.0 module. By setting this parameter to an invalid value in an .htaccess file, a local user could crash the Apache server. (CVE-2005-3319) A Denial of Service flaw was found in the EXIF module. By sending an image with specially crafted EXIF data to a PHP program that automatically evaluates them (e. g. a web gallery), a remote attacker could cause an infinite recursion in the PHP interpreter, which caused the web server to crash. (CVE-2005-3353) Stefan Esser reported a Cross Site Scripting vulnerability in the phpinfo() function. By tricking a user into retrieving a specially crafted URL to a PHP page that exposes phpinfo(), a remote attacker could inject arbitrary HTML or web script into the output page and possibly steal private data like cookies or session identifiers. (CVE-2005-3388) Stefan Esser discovered a vulnerability of the parse_str() function when it is called with just one argument. By calling such programs with specially crafted parameters, a remote attacker could enable the 'register_globals' option which is normally turned off for security reasons. Once this option is enabled, the remote attacker could exploit other security flaws of PHP programs which are normally protected by 'register_globals' being deactivated. (CVE-2005-3389) Stefan Esser discovered that a remote attacker could overwrite the $GLOBALS array in PHP programs that allow file uploads and run with 'register_globals' enabled. Depending on the particular application, this can lead to unexpected vulnerabilities. (CVE-2005-3390) The 'gd' image processing and cURL modules did not properly check processed file names against the 'open_basedir' and 'safe_mode' restrictions, which could be exploited to circumvent these limitations. (CVE-2005-3391) Another bypass of the 'open_basedir' and 'safe_mode' restrictions was found in virtual() function. A local attacker could exploit this to circumvent these restrictions with specially crafted PHP INI files when virtual Apache 2.0 hosts are used. (CVE-2005-3392) The mb_send_mail() function did not properly check its arguments for invalid embedded line breaks. By setting the 'To:' field of an email to a specially crafted value in a PHP web mail application, a remote attacker could inject arbitrary headers into the sent email. (CVE-2005-3883). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-03
    plugin id 20776
    published 2006-01-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20776
    title Ubuntu 4.10 / 5.04 / 5.10 : php4, php5 vulnerabilities (USN-232-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0276.NASL
    description Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. The phpinfo() PHP function did not properly sanitize long strings. An attacker could use this to perform cross-site scripting attacks against sites that have publicly-available PHP scripts that call phpinfo(). (CVE-2006-0996) The html_entity_decode() PHP function was found to not be binary safe. An attacker could use this flaw to disclose a certain part of the memory. In order for this issue to be exploitable the target site would need to have a PHP script which called the 'html_entity_decode()' function with untrusted input from the user and displayed the result. (CVE-2006-1490) The error handling output was found to not properly escape HTML output in certain cases. An attacker could use this flaw to perform cross-site scripting attacks against sites where both display_errors and html_errors are enabled. (CVE-2006-0208) An input validation error was found in the 'mb_send_mail()' function. An attacker could use this flaw to inject arbitrary headers in a mail sent via a script calling the 'mb_send_mail()' function where the 'To' parameter can be controlled by the attacker. (CVE-2005-3883) A buffer overflow flaw was discovered in uw-imap, the University of Washington's IMAP Server. php-imap is compiled against the static c-client libraries from imap and therefore needed to be recompiled against the fixed version. This issue only affected Red Hat Enterprise Linux 3. (CVE-2005-2933). Users of PHP should upgrade to these updated packages, which contain backported patches that resolve these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21897
    published 2006-07-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21897
    title CentOS 3 / 4 : php (CESA-2006:0276)
oval via4
accepted 2013-04-29T04:04:43.807-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description CRLF injection vulnerability in the mb_send_mail function in PHP before 5.1.0 might allow remote attackers to inject arbitrary e-mail headers via line feeds (LF) in the "To" address argument.
family unix
id oval:org.mitre.oval:def:10332
status accepted
submitted 2010-07-09T03:56:16-04:00
title CRLF injection vulnerability in the mb_send_mail function in PHP before 5.1.0 might allow remote attackers to inject arbitrary e-mail headers via line feeds (LF) in the "To" address argument.
version 23
redhat via4
advisories
rhsa
id RHSA-2006:0276
refmap via4
bid 15571
confirm
mandriva MDKSA-2005:238
misc http://bugs.php.net/bug.php?id=35307
sectrack 1015296
secunia
  • 17763
  • 18054
  • 18198
  • 19832
  • 20210
  • 20951
sgi 20060501-01-U
suse SUSE-SA:2005:069
turbo TLSA-2006-38
ubuntu USN-232-1
vupen ADV-2006-2685
xf php-mbsendmail-header-injection(23270)
Last major update 07-12-2016 - 22:00
Published 29-11-2005 - 06:03
Last modified 30-10-2018 - 12:25
Back to Top