#VU6975 Information disclosure in PHP
Published: June 8, 2017 / Updated: June 9, 2017
Vulnerability identifier: #VU6975
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-200
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
PHP
PHP
Software vendor:
PHP Group
PHP Group
Description
The vulnerability allows an attacker to gain access to potentially sensitive information.
The vulnerability exists within the implementation of the mail() PHP function in win32/sendmail.c, when parsing email headers for CC and BCC lines. A local or remote attacker with ability to modify email headers can send a copy of email messages to arbitrary email address.
Example:
$headers = implode("\r\n", [
"Cc: test2@example.com",
"X-Test-Cc: line 2",
"X-Test-Aabbcc: test3@example.com",
"X-Line-4: line 4"
]);
mail("test@example.com", "Subject", "Body", $headers);
Actual recipients:
Recipients: test@example.com, test2@example.com, test3@example.com
Remediation
Update to version 7.0.20 or 7.1.6.