Vigil@nce - Oracle JavaMail: header injection via msg.setFrom
August 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, who is allowed to choose the email sender, can use a
line feed, in order to force the msg.setFrom() method of Oracle
JavaMail to inject an header.
Impacted products: Oracle JavaMail.
Severity: 1/4.
Creation date: 11/08/2016.
DESCRIPTION OF THE VULNERABILITY
The Oracle JavaMail product is used by Java applications to send
an email.
The msg.setFrom() method defines the email sender. However, line
feeds are not filtered in the sender name. For example, "My Name
\nX-SomeHeader: somedata" injects the "X-SomeHeader: somedata"
header.
An attacker, who is allowed to choose the email sender, can
therefore use a line feed, in order to force the msg.setFrom()
method of Oracle JavaMail to inject an header.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Oracle-JavaMail-header-injection-via-msg-setFrom-20363