Zope 2

MIME injection problems with dtml-sendmail

Bug #143859 reported by Itamar Turner-Trauring
2
Affects Status Importance Assigned to Milestone
Zope 2
Invalid
Medium
Unassigned

Bug Description

A spammer recently used one of our mail forms to send spam. Some investigation revealed that while it was, in theory, our fault in coding it, in practice it's a fundamental issue with dtml-sendmail.

Consider:
<dtml-sendmail>
To: <email address hidden>
From: <dtml-var sender>
Subject: Automated email from example.com

Reply to sender with info about our products.
</dtml-sendmail>

Looks fine, right? Except, we can use this form to send email to *anyone*, by using linebreaks, which lets the spammer to add new lines:

www.example.com/submitemail.dtml?<email address hidden>%0ATo:%<email address hidden>%0A%0ABody%20of%20spam

will send a spam with body "Body of spam" to <email address hidden>. This is MIME injection, similar to SQL injection attacks.

None of the dtml-sendmail examples on zope.org note the need for quoting in dtml-sendmail, so I suspect this is common issue. The problem is due to the fact you use templating for MIME, which really isn't a very good idea.

Possible solutions:
1. Update various dtml-sendmail docs to note need for quoting.
2. Change behavior of dtml-sendmail in some way to prevent this.
3. Tell people not to use dtml-sendmail at all.

I vote for #3, but #1 is certainly the easiest thing to do.

Tags: bug zope
Revision history for this message
Itamar Turner-Trauring (itamarst) wrote :

Notice that I'm not making the common mistake of setting the To header with a form argument, the recipient of the email is hardcoded.

Revision history for this message
Andreas Jung (ajung) wrote :

Changes: submitter email, importance (critical => medium)

Revision history for this message
Andreas Jung (ajung) wrote :

I consider this issues basically a question of documentation and programming-style. <dtml-var> offers several options to quote the content (so you can solve this on the application level). I don't want to see any magic like auto-quoting for <dtml-var> when called inside <dtml-sendmail>. I agree that it should be documented somewhere.

Revision history for this message
Philipp von Weitershausen (philikon) wrote :

If we still consider <dtml-sendmail> to be the recommended way of sending emails from Zope we should introduce <dtml-smtpvar> in analogy to <dtml-sqlvar>. If someone wants to do this, fine, but I actually think that sending emails should be done from Python (like Itamar suggests, the Python email package provides much better abstraction for MIME messages). So like Andreas suggests, we should add big warnings signs to the <dtml-sendmail> docs plus a note to script this from Python instead.

Revision history for this message
Andreas Jung (ajung) wrote :

This issue is not security related, it must not be confidential.

Revision history for this message
Andreas Jung (ajung) wrote :

Changes: security_related unset

Revision history for this message
Andreas Jung (ajung) wrote :

Triggered by security_related toggle.

Revision history for this message
Hanno Schlichting (hannosch) wrote :

Updating the documentation would be a good idea here, DTML is discouraged for so long now - changing any of its code doesn't make much sense anymore.

Changed in zope2:
status: New → Confirmed
Revision history for this message
Colin Watson (cjwatson) wrote :

The zope2 project on Launchpad has been archived at the request of the Zope developers (see https://answers.launchpad.net/launchpad/+question/683589 and https://answers.launchpad.net/launchpad/+question/685285). If this bug is still relevant, please refile it at https://github.com/zopefoundation/zope2.

Changed in zope2:
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.