Info

Disclosure

Jul 30, 2003

Discovery

Aug 23, 2002

Dates

Exploit

Jul 30, 2003

Solution

Unknown

Description

PHP 4.x to 4.2.2 contains a flaw that exist in the mail() function that does not properly sanitize user input. It is possible for a user may pass ASCII control characters to the mail() function that could alter the headers of email. This could result in spoofed mail headers.

Classification

Unknown or Incomplete

Solution

Upgrade to the latest version of PHP available, or disable the mail() function in the php.ini.

Products

OpenPKG	OpenPKG	1.0
		1.1
		1.2

PHP Group	PHP	3.0
		4.0
		4.0.1
		4.0.2
		4.0.3
		4.0.4
		4.0.5
		4.0.6
		4.0.7
		4.1.0
		4.1.1
		4.1.2
		4.2.0
		4.2.1
		4.2.2

References

CVE ID: 2002-0985 (see also: NVD)
Related OSVDB ID: 2160
Bugtraq ID: 5562
ISS X-Force ID: 9966
Other Advisory URL: ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2003-008.0.txt http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000545
http://www.debian.org/security/2002/dsa-168
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:082
http://www.novell.com/linux/security/advisories/2002_036_modphp4.html
Mail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=103011916928204&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=103011916928204&w=2
Vendor Specific Advisory URL: http://www.securityfocus.com/advisories/4486
http://www.securityfocus.com/advisories/4699
http://www.securityfocus.com/advisories/5056
https://rhn.redhat.com/errata/RHSA-2002.html [ Link is 404 ]
RedHat RHSA: RHSA-2002:213 RHSA-2002:214 RHSA-2002:243 RHSA-2002:244 RHSA-2002:248 RHSA-2003:159

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/36218

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

OpenPKG

OpenPKG

PHP Group

PHP

References

Credit