It was discovered that the Dotdeb PHP packages are patched with a mail() protection patch that was originally created by Steve Bennett and is nowadays developed at choon.net. This patch adds an X-PHP-Script header to outgoing mails that contains the name of the server, the script and the calling IP.
Unfortunately the script name is directly copied from PHP's PHP_SELF variable without further processing. Because PHP_SELF does not only contain the script name but also the urldecoded content of PATH_INFO this allows injection of arbitrary content into the email headers.
Because of this vulnerability on every PHP server that uses this patch every PHP script that uses the mail() function can be used to send either spam mail or tricked into disclosing sensitive content by injecting Bcc: headers.
A possible attack could be injecting Bcc: headers into password reminder/password reset mails sent out by forums to break into the administrator account.
Disclosure Timeline:
10. November 2006 - Notified dotdeb vendor and choon.net
12. November 2006 - choon.net released updated patch
13. November 2006 - dotdeb released updated PHP packages
14. November 2006 - Public Disclosure
Recommendation:
We strongly recommend upgrading your dotdeb installation as soon as possible, because it not only fixes this vulnerability but also bundles our Suhosin Patch for extra protection of your PHP server.
