Closed
Bug 619929
Opened 15 years ago
Closed 13 years ago
Send spams through mozilla mail server
Categories
(www.mozilla.org :: General, defect)
www.mozilla.org
General
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: schuenjia, Assigned: dchanm+bugzilla)
References
()
Details
(Keywords: reporter-external, sec-moderate, Whiteboard: [infrasec:input][ws:moderate])
Attachments
(1 file)
|
504 bytes,
patch
|
reed
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Build Identifier:
The user input "email" is not properly validated so that an attacker can use the sendmail function to automatically send spam emails to any one.
Reproducible: Always
Steps to Reproduce:
1. POST http://www.mozilla.org/contribute/email/index.php
2. with email: xxx@yyy.zzz\r\nTo:victim1@foo.bar\r\nTo:victim2@foo.bar
It's just an example, please check also other input fields like $area.
|
||
Updated•15 years ago
|
Assignee: nobody → reed
|
Assignee | |
Comment 2•15 years ago
|
||
I am unable to reproduce this issue.
My steps
1. Go to http://www.mozilla.org/contribute/
2. Fill out the Get In Touch option with burp running
3. Replace address parameter with the string provided
I received a HTTP/1.1 200 OK with the content
Must use a valid e-mail address
I also tried POSTing to
http://www.mozilla.org/contribute/email/index.php
with the same results
Am I missing a step?
sorry, please try this vector:
address:
xxx\r\nTo:victim@foo.bar
|
|
Assignee | |
Comment 4•15 years ago
|
||
(In reply to comment #3)
> sorry, please try this vector:
>
> address:
> xxx\r\nTo:victim@foo.bar
Thanks. I was able to reproduce with that vector.
The problem appears to be in the validate_email function which is too permissive.
http://viewvc.svn.mozilla.org/vc/projects/mozilla.org/trunk/contribute/email/index.php?revision=68785&view=markup
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [infrasec:input][ws:moderate]
|
|
Assignee | |
Comment 5•15 years ago
|
||
Change the [^@]+ to [a-zA-Z0-9._\-+]+
Attachment #498781 -
Flags: review?(reed)
|
|
Assignee | |
Updated•15 years ago
|
Assignee: reed → dchan
|
|
||
Comment 6•15 years ago
|
||
Comment on attachment 498781 [details] [diff] [review]
proposed patch
r=me
Attachment #498781 -
Flags: review?(reed) → review+
|
||
Updated•13 years ago
|
Keywords: sec-moderate
|
||
Updated•13 years ago
|
Component: www.mozilla.org → General
Product: Websites → www.mozilla.org
|
|
Assignee | |
Comment 8•13 years ago
|
||
This appears to be fixed. Submitting the previously working string of
xxx\r\nfoo@bar.com
now returns an error to enter a valid email. This was probably fixed in the rewrite.
Closing bug
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
|
||
Updated•12 years ago
|
Flags: sec-bounty+
|
||
Updated•8 years ago
|
Group: websites-security
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•