Comment notification header injection? (5 posts)

  1. Amelie
    Posted 9 years ago #

    I just received the following in my server logs:

    comment: to6759@[my domain]
    redirect_to: to6759@[my domain]
    url: to6759@[my domain]
    author: portraits
    Content-Type: multipart/alternative; boundary=4531a12f2b5c30d6106376b2881e01d6
    MIME-Version: 1.0
    Subject: comply or to refuse
    bcc: hollowiog1503@aol.com

    This is a multi-part message in MIME format.

    Content-Type: text/plain; charset=\"us-ascii\"
    MIME-Version: 1.0
    Content-Transfer-Encoding: 7bit

    soothing him . o, darlint they only knocked off half


    submit: to6759@[my domain]
    subscribe: to6759@[my domain]
    comment_post_ID: to6759@[my domain]
    email: to6759@[my domain]

    ...sent with the following headers:

    POST /home/wp-comments-post.php HTTP/1.1
    Connection: Keep-Alive
    Content-Length: 777
    Content-Type: application/x-www-form-urlencoded
    Host: [my domain]
    Referer: [my domain]

    Now I have searched for a related topic, but could find nothing really addressing this (but if I missed something, apologies in advance).
    Is it possible for the comment notification e-mail to be injected using the information this spammer has submitted? I am using WP 2.0.2, if that helps at all.
    Incidentally, this spammer's attempt was blocked by one of my spam plugins, but I want to make sure that there is nothing vulnerable about WordPress that would allow the e-mail headers to be injected. I had a brief look at the code, but I wasn't able to find the comment notification function to see whether or not it was vulnerable.

    Thanks in advance for any info.

  2. Samuel B

    Posted 9 years ago #

    There have been no vulnerabilities of the type you suggest reported.
    It looks fairly basic to me. A spam script.

  3. Mark (podz)
    Support Maven
    Posted 9 years ago #

    What plugins do you have activated?

  4. Firas
    Posted 9 years ago #

    The function is wp_mail(). The comment notification function is wp_notify_postauthor().

    A cursory glance at calls to wp_mail() suggests that nowhere does commentor-given input get into the to, from, subject or other email headers.

  5. Amelie
    Posted 9 years ago #

    @Podz: Akismet 1.14, Bad Behaviour 1.2.4, WordPress Database Backup 1.7, Autoclose Comments 0.1, Comment Plugger 1.1, Exec-PHP 2.0, Gravatar 1.1, Quote Comment 2.0.2, Subscribe to Comments 2.0, Search and Replace 1.1 and runPHP 2.1b.

Topic Closed

This topic has been closed to new replies.

About this Topic