Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20151205043429.AB3DD72E158@smtpvbsrv1.mitre.org>
Date: Fri,  4 Dec 2015 23:34:29 -0500 (EST)
From: cve-assign@...re.org
To: gsunde.orangen@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: PHPMailer Message Injection Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14
> This release contains an important security update.
> Takeshi Terada discovered that PHPMailer accepted addresses containing line breaks.

Use CVE-2015-8476. Our understanding is that this is not the same as
CVE-2012-0796, which is:

  https://git.moodle.org/gw?p=moodle.git;a=commit;h=62988bf0bbc73df655f51884aaf1f523928abff9

This is related to the same original codebase. The Moodle
class.phpmailer.php file refers to Andy Prevost and Marcus Bointon,
who are listed in the
https://github.com/PHPMailer/PHPMailer/blob/master/README.md History
section. However, 62988bf0bbc73df655f51884aaf1f523928abff9 is about
the From and Sender headers. The change for PHPMailer 5.2.14 is:

  https://github.com/PHPMailer/PHPMailer/commit/6687a96a18b8f12148881e4ddde795ae477284b0

which mentions:

  Reject line breaks in addresses
  Reject line breaks in all commands
  
and gives an attack string beginning with:

  \r\n RCPT TO:websec02@...bsd.jp\r\n DATA \\\nSubject: spam

This attack string suggests that "MAIL FROM" had already been sent.
Thus, we think the "PHPMailer before 5.2.14" finding is a different
vulnerability.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWYmkCAAoJEL54rhJi8gl5BrUQAJNkrgz/dEqZPZ2JLQ4z5ezr
LXc82Js/NSxRSRuvSOAJPRT/M30fLjwpqRVdAo0Vi0Nqou1+UYCchPs5SydAIT3B
yx9PVf973w1Q0Ee/3EaQZkCzeZQhCeNErTTKtnNuttW1LEqwo19ohcqZ0oTd0MyL
/h1riUtP8L79/XDf13WPbOZDwei3OhLfvEog1fDsHFXUgzOFoK00cTbrHZSf3XkG
a26hd8OkOPClYni8adl6mE20SrDJp02eJRgvqfQe9/JmHJDeNWDQ6q4Ok5XVWNUc
59bEOKq+VhaNru9+7M1rZWY2s48lra1cvKpGAvlWZgyCakpCg7kRS31JDHZuMzo3
9MGNrOyKFhLE1JWy8ug9YN/vG1eb8W19H7CA9Nz50aRagcIuyuerh+ljCMLfCdye
/V65TyQck7JcRG1sgdg+fVSJhXqS/2Ri2FijHHVxA8dNcnp26J0F7uuwLMX9tPjP
kU1/3Gum2noD/Zfh5Gv5HASjSRoCtQzmaPKJfNwZeb4Qv188Rfyi5722mARMo5G8
kSjaDEz2bsNA3D1LbcQBdilRe+KcyyC3zG1ocfBO345F06o5KvwJsWXu8Zv1Bmy4
BU6R1sjGU4ntIZDyPxMVL19wM4wFY69JXJoW50NR6iE7sPo+XW/nhqlVdL9vaWie
q762sA15AGFoDFckU/Aq
=ATt/
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.