Vigil@nce - Oracle JavaMail: injection of SMTP header via setSubject
June 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, who is allowed to choose the subject of an email, can
use a line feed, in order to force the setSubject() method of
Oracle JavaMail to inject a new SMTP header.
– Impacted products: Oracle JavaMail
– Severity: 2/4
– Creation date: 20/05/2014
DESCRIPTION OF THE VULNERABILITY
The Oracle JavaMail product is used by Java applications to send
an email.
The setSubject() method defines the email subject. However, line
feeds are not filtered. For example, the subject "test\r\nCc:
email" injects a new Cc header.
An attacker, who is allowed to choose the subject of an email, can
therefore use a line feed, in order to force the setSubject()
method of Oracle JavaMail to inject a new SMTP header.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Oracle-JavaMail-injection-of-SMTP-header-via-setSubject-14768