您在這裡

[Security announcements] Form_mail module allows arbitrary header injection

Drupaler's 的頭像
Drupaler (未驗證) 在 2006-07-06 (四) 11:38 發表

FORM_MAIL MODULE ALLOWS ARBITRARY HEADER INJECTION

* Advisory ID: DRUPAL-SA-2006-009

* Project: form_mail

* Date: 2006-Jul-4

* Security risk: moderately critical

* Impact: security bypass

* Exploitable from: remote

* Vulnerability: mail header injection attack

------------DESCRIPTION------------

Linefeeds and carriage returns were not being stripped from email headers,
raising the possibility of bogus headers being inserted into outgoing email.

This could lead to sites being used to send unwanted email.

------------VERSIONS AFFECTED------------

form_mail versions prior to revision 1.8.2.2 on 27.6.2006

Drupal core is not affected.

------------SOLUTION------------

Download the latest version of form_mail: form_mail-4.6.0.tar.gz
http://ftp.osuosl.org/pub/drupal/files/projects/form_mail-4.6.0.tar.gz

------------REPORTED BY------------

Adam Gundry

------------CONTACT------------