Form_mail module allows arbitrary header injection

• Advisory ID: DRUPAL-SA-2006-009
• Project: form_mail
• Date: 2006-Jul-4
• Security risk: moderately critical
• Impact: security bypass
• Exploitable from: remote
• Vulnerability: mail header injection attack

Description

Linefeeds and carriage returns were not being stripped from email headers, raising the possibility of bogus headers being inserted into outgoing email.

This could lead to sites being used to send unwanted email.

Versions affected

form_mail versions prior to revision 1.8.2.2 on 27.6.2006

Drupal core is not affected.

Solution

Download the latest version of form_mail: form_mail-4.6.0.tar.gz

Reported by

Adam Gundry

Contact

The security contact for Drupal can be reached at security at drupal.org or using the form at http://drupal.org/contact.