This queue is for tickets about the SMTP-Server CPAN distribution.

Report information
The Basics
Id:
124769
Status:
open
Priority:
Low/Low
Queue:

People
Owner:
Nobody in particular
Requestors:
hackyzh001 [...] gmail.com
Cc:
AdminCc:

BugTracker
Severity:
(no value)
Broken in:
(no value)
Fixed in:
(no value)



Subject: SMTP command injection
From: hackyzh001@gmail.com
#!perl #use warnings; #use strict; use Net::SMTP; my $smtp = Net::SMTP->new("localhost", Hello => 'my.host.com', Timeout => 60); $smtp->mail("whitehat002\@hotmail.com"); $smtp->to("499671216\@qq.com\n"); $smtp->data(); $smtp->datasend("From: whitehat002\@hotmail.com\nSubject: command inject\n"); $smtp->datasend("To: 499671216\@qq.com\n"); $smtp->quit; print "send success\n"; -------------------------- command inject From:whitehat002 <whitehat002@hotmail.com> Date:Wednesday, Mar 14, 2018 9:59 AM To: 道隐无名 <499671216@qq.com> Hello,perl security team, Now I use smtp module,and I can inject command success.Another ticket #124765 should be closed,thanks.
Subject: [perl #132973] AutoReply: Fwd: [rt.cpan.org #124769] SMTP command injection
Date: Tue, 13 Mar 2018 19:07:59 -0700
To: bug-SMTP-Server@rt.cpan.org
From: perl5-security-report-followup@perl.org
Greetings, This message has been automatically generated in response to the creation of a perl security report regarding: "Fwd: [rt.cpan.org #124769] SMTP command injection". There is no need to reply to this message right now. Your ticket has been assigned an ID of [perl #132973]. Please include the string: [perl #132973] in the subject line of all future correspondence about this issue. To do so, you may reply to this message (please delete unnecessary quotes and text.) Thank you, perl5-security-report-followup@perl.org ------------------------------------------------------------------------- X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mx3.develooper.com X-Spam-Status: No, score=-2.2 required=6.0 tests=ALL_TRUSTED,BAYES_00, MIME_HEADER_CTYPE_ONLY,T_TVD_MIME_NO_HEADERS,URIBL_BLOCKED autolearn=no version=3.3.1 Return-Path: <perlmail@x6.develooper.com> X-RT-Mail-Extension: perl5-security Subject: Fwd: [rt.cpan.org #124769] SMTP command injection From: bug-SMTP-Server@rt.cpan.org Date: Tue, 13 Mar 2018 22:07:50 -0400 Received: from xx1.develooper.com (xx1.dev [10.0.100.115]) by rtperl.develooper.com (Postfix) with ESMTP id 79C2F126 for <rt-perl5-security@rtperl.dev>; Tue, 13 Mar 2018 19:07:58 -0700 (PDT) Received: from localhost (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with ESMTP id D53F211FE15 for <rt-perl5-security@rtperl.dev>; Tue, 13 Mar 2018 19:07:57 -0700 (PDT) Received: from xx1.develooper.com (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with SMTP id 3A82611FDFF for <rt-perl5-security@rtperl.dev>; Tue, 13 Mar 2018 19:07:55 -0700 (PDT) Received: from x6.develooper.com (x6.develooper.com [207.171.7.86]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by xx1.develooper.com (Postfix) with ESMTPS id 0CB4411D372 for <rt-perl5-security@rt.perl.org>; Tue, 13 Mar 2018 19:07:54 -0700 (PDT) Received: by x6.develooper.com (Postfix, from userid 514) id 52ECBCA8; Tue, 13 Mar 2018 19:07:54 -0700 (PDT) Received: (qmail 20216 invoked from network); 14 Mar 2018 02:07:54 -0000 Received: from xx1.develooper.com (207.171.7.115) by x6.develooper.com with SMTP; 14 Mar 2018 02:07:54 -0000 Received: from localhost (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with ESMTP id A9A5611D372 for <perlmail-perl5-security-report@onion.perl.org>; Tue, 13 Mar 2018 19:07:53 -0700 (PDT) Received: from xx1.develooper.com (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with SMTP id 62F9411FE05 for <perlmail-perl5-security-report@onion.perl.org>; Tue, 13 Mar 2018 19:07:51 -0700 (PDT) Received: from rtcpan.develooper.com (rtcpan.develooper.com [207.171.7.181]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by xx1.develooper.com (Postfix) with ESMTPS id AF46F11FDFE for <perl5-security-report@perl.org>; Tue, 13 Mar 2018 19:07:50 -0700 (PDT) Received: by rtcpan.develooper.com (Postfix, from userid 536) id 3A9FF827; Tue, 13 Mar 2018 19:07:50 -0700 (PDT) From perlmail@x6.develooper.com Tue Mar 13 19:07:58 2018 Message-ID: <20180314020750.3A9FF827@rtcpan.develooper.com> CC: To: perl5-security-report@perl.org Content-Type: multipart/mixed; boundary="----------=_1520993270-30645-0" X-Original-To: rt-perl5-security@rtperl.dev X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2018.3.14.15415 X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2018.3.14.15415 Delivered-To: rt-perl5-security@rtperl.dev Delivered-To: perlmail-perl5-security-report@onion.perl.org X-RT-Interface: Email
Subject: Re: [perl #132973] Fwd: [rt.cpan.org #124769] SMTP command injection
Date: Wed, 14 Mar 2018 01:30:55 -0700
To: bug-SMTP-Server@rt.cpan.org
From: "Dave Mitchell via RT" <perl5-security-report-followup@perl.org>
On Tue, Mar 13, 2018 at 07:07:59PM -0700, via RT wrote:
Show quoted text
> This is forward of transaction #1776515 of a ticket #124769
Show quoted text
> #!perl > #use warnings; > #use strict; > use Net::SMTP; > my $smtp = Net::SMTP->new("localhost", > Hello => 'my.host.com', > Timeout => 60); > $smtp->mail("whitehat002\@hotmail.com"); > $smtp->to("499671216\@qq.com\n"); > $smtp->data(); > $smtp->datasend("From: whitehat002\@hotmail.com\nSubject: command inject\n"); > $smtp->datasend("To: 499671216\@qq.com\n"); > $smtp->quit; > print "send success\n"; > > > -------------------------- > > command inject > > From:whitehat002 <whitehat002@hotmail.com> > Date:Wednesday, Mar 14, 2018 9:59 AM > To: 道隐无名 <499671216@qq.com> > > Hello,perl security team, > Now I use smtp module,and I can inject command success.Another ticket #124765 should be closed,thanks.
Please can you stop raising the same issue (with the same email) to both rt.cpan.org ticket and a perl5-security at the same time, Pick one or the other. Otherwise it's very confusing for the automated systems and the people reading the emails. Also, rt.cpan.org is public, while perl5-security isn't. Raising the issue on both systems simultaneously means any sensitive information has already been made public. If you think there is an issue with Net::SMTP then you should have raised a ticket with the distribution which contains that module, i.e. libnet, NOT SMTP-Server. In any case, what you have shown is not a command injection, nor is it a security issue; Net::SMTP is behaving exactly as it should. I'm closing the perl security ticket now, -- Red sky at night - gerroff my land! Red sky at morning - gerroff my land! -- old farmers' sayings #14


This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.