Web Application Security
Whitepaper: SMTP Injection via recipient email addresses Dec 09 2015 08:20AM
Takeshi Terada (mbsdtest01 gmail com) (1 replies)
Dear all,

MBSD released a whitepaper titled "SMTP Injection via recipient email
addresses."
http://www.mbsd.jp/Whitepaper/smtpi.pdf

The paper discusses SMTP Injection attacks via malformed recipient
email addresses in some email libraries in Ruby, Java and PHP.

TOC
1. Introduction
2. How the attack works
3. Vulnerability examples
3.1. Ruby's Mail
3.2. JavaMail
3.3. PHPMailer
3.4. Other platforms
4.Further attack possibility
4.1. FWS Attack
4.2. CRLF-less attack
4.3. Line-breaks for SMTP servers
5. Sender address attack
6. Conclusion

Best regards,

--
Takeshi Terada
Mitsui Bussan Secure Directions, Inc.
http://www.mbsd.jp/

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]
Re: Whitepaper: SMTP Injection via recipient email addresses Dec 16 2015 08:28PM
Amit Klein (aksecurity gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus