WordPress.org

Support

Support » Miscellaneous » Comment notification header injection?

Comment notification header injection?

  • I just received the following in my server logs:

    comment: to6759@[my domain]
    redirect_to: to6759@[my domain]
    url: to6759@[my domain]
    author: portraits
    Content-Type: multipart/alternative; boundary=4531a12f2b5c30d6106376b2881e01d6
    MIME-Version: 1.0
    Subject: comply or to refuse
    bcc: hollowiog1503@aol.com

    This is a multi-part message in MIME format.

    –4531a12f2b5c30d6106376b2881e01d6
    Content-Type: text/plain; charset=\”us-ascii\”
    MIME-Version: 1.0
    Content-Transfer-Encoding: 7bit

    soothing him . o, darlint they only knocked off half
    –4531a12f2b5c30d6106376b2881e01d6–

    .

    submit: to6759@[my domain]
    subscribe: to6759@[my domain]
    comment_post_ID: to6759@[my domain]
    email: to6759@[my domain]

    …sent with the following headers:

    POST /home/wp-comments-post.php HTTP/1.1
    Connection: Keep-Alive
    Content-Length: 777
    Content-Type: application/x-www-form-urlencoded
    Host: [my domain]
    Referer: [my domain]

    Now I have searched for a related topic, but could find nothing really addressing this (but if I missed something, apologies in advance).
    Is it possible for the comment notification e-mail to be injected using the information this spammer has submitted? I am using WP 2.0.2, if that helps at all.
    Incidentally, this spammer’s attempt was blocked by one of my spam plugins, but I want to make sure that there is nothing vulnerable about WordPress that would allow the e-mail headers to be injected. I had a brief look at the code, but I wasn’t able to find the comment notification function to see whether or not it was vulnerable.

    Thanks in advance for any info.

Viewing 4 replies - 1 through 4 (of 4 total)
  • There have been no vulnerabilities of the type you suggest reported.
    It looks fairly basic to me. A spam script.

    What plugins do you have activated?

    The function is wp_mail(). The comment notification function is wp_notify_postauthor().

    A cursory glance at calls to wp_mail() suggests that nowhere does commentor-given input get into the to, from, subject or other email headers.

    @podz: Akismet 1.14, Bad Behaviour 1.2.4, WordPress Database Backup 1.7, Autoclose Comments 0.1, Comment Plugger 1.1, Exec-PHP 2.0, Gravatar 1.1, Quote Comment 2.0.2, Subscribe to Comments 2.0, Search and Replace 1.1 and runPHP 2.1b.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Comment notification header injection?’ is closed to new replies.
Skip to toolbar