Loading...
 
Development

Development


Register user - problem with header in email validation.

posts: 2

Hi,

I installed new tiki on my server. In configuration set validation new user...

When I create new account, validation mail don't delivered to me. In server log has:
Logs: error client 111.33.66.66 alert - mail() - newline in subject header, possible injection, mail dropped (attacker 111.33.66.66', file '/home/tiki/lib/webmail/htmlMimeMail.php', line 734), referer: http://city.org/tiki/tiki-register.php

I checked variables in this line and I found \n (newline) sign on end sentence in $subject.

Why code is not protect before sings excluded in RFC 2047?

posts: 1817 Catalan Countries

Dear Michal.Kress:

From tiki-devel email list, a developer fixed it for you, it seems.

Can you confirm that this change fixes your issue in your server?

Thanks

Xavi

On 06/08/12 15:23, Jean-Marc Libs wrote:
Hi Xavi,

My opinion is, any supplementary newline in a mail subject will be interpreted as a security issue by the mail server because that makes it possible to inject any SMTP header extra line. So it's not surprising some modern mail servers detect and reject that.

It's probably a bug in a Tiki tpl file (usually a subject file starting with a a comment all alone before the subject line which smarty then changes into a blank line.

Found it, I guess:
$ more templates/mail/confirm_user_email_subject.tpl
{* $Id: confirm_user_email_subject.tpl 33949 2011-04-14 05:13:23Z chealer $ *}
{tr}Confirm your email at %s{/tr}

You can tell him to remove the top line and just leave a one-line {tr}Confirm your email at %s{/tr} in file templates/mail/confirm_user_email_subject.tpl

I did it in revision 42533.

I hope that's it, as opposed to some faulty subject line being hand-crafted in some php file.

Cheers,
Jyhem


posts: 2

this solution not fixed my problem.

I listed ascii code from $subject:
normal text:
"Your registration confirmation (mydomain.org)
"

last char in $subject is 10 ascii code, after ")" and this sign generate problem.

In htmlMineMail.php I added before send function:
$subject = preg_replace('/[[:cntrl:]]/', '', $subject);

and mails confirmation are delivered.

I don't have idea, why sign #10 adds on end $subject.


posts: 1817 Catalan Countries

Dear Michal.Kress:

You are welcome to join the tikiwiki-devel list, where most discussion about changes to the code is held:

See link here: http://tiki.org/Lists

And you are very welcome to fix those issues in the central repository of code. See:
http://dev.tiki.org/Commit

Cheers and thanks for improving Tiki