MIME injection problems with dtml-sendmail
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 2 |
Invalid
|
Medium
|
Unassigned |
Bug Description
A spammer recently used one of our mail forms to send spam. Some investigation revealed that while it was, in theory, our fault in coding it, in practice it's a fundamental issue with dtml-sendmail.
Consider:
<dtml-sendmail>
To: <email address hidden>
From: <dtml-var sender>
Subject: Automated email from example.com
Reply to sender with info about our products.
</dtml-sendmail>
Looks fine, right? Except, we can use this form to send email to *anyone*, by using linebreaks, which lets the spammer to add new lines:
www.example.
will send a spam with body "Body of spam" to <email address hidden>. This is MIME injection, similar to SQL injection attacks.
None of the dtml-sendmail examples on zope.org note the need for quoting in dtml-sendmail, so I suspect this is common issue. The problem is due to the fact you use templating for MIME, which really isn't a very good idea.
Possible solutions:
1. Update various dtml-sendmail docs to note need for quoting.
2. Change behavior of dtml-sendmail in some way to prevent this.
3. Tell people not to use dtml-sendmail at all.
I vote for #3, but #1 is certainly the easiest thing to do.
Notice that I'm not making the common mistake of setting the To header with a form argument, the recipient of the email is hardcoded.