Thanks to a user on the Forums I was notified of an arbitrary Header injection issue of the "Mail Entry" plugin. This plugin is only available in our additional_plugins repository and neither bundled nor installed by default, and a not frequently used plugin (according to the forum messages). In this plugin it was possible for spammers to inject arbitrary E-Mail header fields into an email that was passed to the PHP mail() function. This can lead to your server being used as a SPAM or phishing mail relay. It does not affect compromising SQL or author data or makes your blog as such insecure. Many Mail servers also do not let spam mails like these go through, if they make apply some level of relay checking. The additional_plugins repository contains several plugins from other people, for which the Serendipity developers can only taken a ground-level of responsibility. We leave much of the responsibility up to the authors, even though we perform several tests on new plugins, and we are very sorry for this security issue in the plugin. We strongly advise plugin authors to use the serendipity_sendMail() function to send E-Mails, which applies some validation of E-Mail headers. Version 1.20 of the plugin has just been committed and can be fetched from CVS after the usual SourceForge anonymous lag of about 24 hours. Users of that plugin are urged to either remove that plugin or temporarily deactivate it until they have upgraded to the new version.
- Keine Trackbacks