email header injection

Next topic

Author	Message
James Ward	Tuesday 28 November 2006 12:11:36 pm I've seen a lot of email header injection attempts on the "tip a friend" forms on multiple ez publish installs I am hosting. Is there any known vulnerabilities with these forms which I should be aware of? working at www.wardnet.com blogging at www.jamesward.ca
Georg Franz	Tuesday 28 November 2006 12:26:20 pm Hi, have a look at http://ez.no/community/forum/general/how_avoid_tip_a_friend_abuse I was also attacked by a russian spammer. I disabled the tipafriend function. Best wishes, Georg. -- http://www.schicksal.com Horoskop website which uses eZ Publish since 2004
Claudia Kosny	Wednesday 29 November 2006 11:50:58 am Hi James I recently skimmed over some mail classes in EZ and according to my tests the fields for the email addresses of sender and receiver do not pose any problem as the content is validated against a regular expression (which is actually to strict and forbids some valid email addresses as well). The field for the name of the sender unfortunately seems to be an open door for injection (at least it was on my setup). The same might be true for the name of the receiver, I have not tested this. For now I will just check whether one of these variables contains a linebreak and display an error message if that is the case. I am not sure whether this is sufficient but my mailbox will certainly tell me soon... Injecting additional message text did not work for me, but I haven't tried to hard. Removing new lines from the name field should hopefully prevent this anyway. Claudia
James Ward	Wednesday 29 November 2006 1:14:01 pm Thanks both for all the information. Claudia, I am very happy to see someone giving this serious issue the attention it deserves. I don't want to hijack my own thread but perhaps you or someone else has dealt with the issue of user registration being injected to validate without any values for username or email address? I have seen this on a couple of ezpublish sites I run. Thanks again, James working at www.wardnet.com blogging at www.jamesward.ca
Claudia Kosny	Friday 01 December 2006 2:53:40 pm Hi James I don't run the sites and was not told of any such problems yet, so I cannot help you there. Claudia

eZ debug

Timing:	Jan 18 2025 19:32:31
Script start
Timing:	Jan 18 2025 19:32:31
Module start 'layout'
Timing:	Jan 18 2025 19:32:31
Module start 'content'
Timing:	Jan 18 2025 19:32:32
Module end 'content'
Timing:	Jan 18 2025 19:32:32
Script end

Main resources:

Total runtime	0.8155 sec
Peak memory usage	4,096.0000 KB
Database Queries	65

Timing points:

Checkpoint	Start (sec)	Duration (sec)	Memory at start (KB)	Memory used (KB)
Script start	0.0000	0.0060	587.8047	152.6094
Module start 'layout'	0.0060	0.0028	740.4141	39.4141
Module start 'content'	0.0088	0.8048	779.8281	595.5781
Module end 'content'	0.8136	0.0018	1,375.4063	12.1875
Script end	0.8154		1,387.5938

Time accumulators:

Accumulator	Duration (sec)	Duration (%)	Count	Average (sec)
Ini load
Load cache	0.0035	0.4332	16	0.0002
Check MTime	0.0013	0.1647	16	0.0001
Mysql Total
Database connection	0.0008	0.1014	1	0.0008
Mysqli_queries	0.7566	92.7785	65	0.0116
Looping result	0.0007	0.0804	63	0.0000
Template Total	0.7814	95.8	2	0.3907
Template load	0.0024	0.2954	2	0.0012
Template processing	0.7790	95.5282	2	0.3895
Template load and register function	0.0001	0.0092	1	0.0001
states
state_id_array	0.0020	0.2510	1	0.0020
state_identifier_array	0.0009	0.1106	2	0.0005
Override
Cache load	0.0018	0.2253	28	0.0001
Sytem overhead
Fetch class attribute can translate value	0.0006	0.0775	3	0.0002
Fetch class attribute name	0.0010	0.1231	7	0.0001
XML
Image XML parsing	0.0014	0.1706	3	0.0005
class_abstraction
Instantiating content class attribute	0.0000	0.0017	8	0.0000
General
dbfile	0.0009	0.1156	22	0.0000
String conversion	0.0000	0.0010	4	0.0000
Note: percentages do not add up to 100% because some accumulators overlap

Templates used to render the page:

Usage	Requested template	Template	Template loaded
1	node/view/full.tpl	full/forum_topic.tpl	extension/sevenx/design/simple/override/templates/full/forum_topic.tpl
3	content/datatype/view/ezimage.tpl	<No override>	extension/sevenx/design/simple/templates/content/datatype/view/ezimage.tpl
5	content/datatype/view/ezxmltext.tpl	<No override>	extension/community_design/design/suncana/templates/content/datatype/view/ezxmltext.tpl
8	content/datatype/view/ezxmltags/paragraph.tpl	<No override>	extension/ezwebin/design/ezwebin/templates/content/datatype/view/ezxmltags/paragraph.tpl
3	content/datatype/view/ezxmltags/line.tpl	<No override>	design/standard/templates/content/datatype/view/ezxmltags/line.tpl
1	print_pagelayout.tpl	<No override>	extension/community/design/community/templates/print_pagelayout.tpl
Number of times templates used: 21 Number of unique templates used: 6

Time used to render debug report: 0.0001 secs