Skip Menu |
 

This queue is for tickets about the Mail-SPF CPAN distribution.

Report information
The Basics
Id: 132486
Status: new
Priority: 0/
Queue: Mail-SPF

People
Owner: Nobody in particular
Requestors: nsczyx [...] gmail.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Find a bug in mail-spf
Date: Sun, 3 May 2020 12:37:50 +0800
To: bug-Mail-SPF [...] rt.cpan.org
From: 赵宇轩 <nsczyx [...] gmail.com>
Download (untitled) / with headers
text/plain 1007b
Hi, I found a bug in Mail-SPF. The details are as follows: When I structure an abnormal mail-from address such as “admin@gmail.com@ 163.com” and I input the correct ip of domain:163.com txt record.Mail-SPF will give the pass result. # perl spfquery --mfrom "admin@hacker.web@163.com" --ip-address 123.58.177.2 pass I have read the relevant code of regular expression(/lib/Mail/SPF/Request.pm:line265), and I have found it has a mistake.This way of writing will only match the character after the last ‘@’ character as a domain name. What's worse, when a hacker use character truncation bug of email system(actually in many web-mail providers and clinet-mail providers) and structure mail-from like “admin@gmail.com/xff@hacker.com” which hacer.com domain is under the control of hacker. In this time, spf procotol will pass and victim will have admin@gmail.com in visible. For example: in outlook-client. By the way,the version of Mail-SPF is v2.9.0 and the version of Perl is v5.18.4.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.