National Cyber Awareness System

Vulnerability Summary for CVE-2005-3883

Overview

CRLF injection vulnerability in the mb_send_mail function in PHP before 5.1.0 might allow remote attackers to inject arbitrary e-mail headers via line feeds (LF) in the "To" address argument.

Impact

CVSS Severity (version 2.0 upgrade from v1.0):

CVSS Version 2 Metrics:

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: BID

Name: 15571

Type: Patch Information

Hyperlink:http://www.securityfocus.com/bid/15571

External Source: CONFIRM

Name: http://www.php.net/release_5_1_0.php

Type: Patch Information

Hyperlink:http://www.php.net/release_5_1_0.php

External Source: SECUNIA

Name: 17763

Type: Advisory; Patch Information

Hyperlink:http://secunia.com/advisories/17763

External Source: VUPEN

Name: ADV-2006-2685

Hyperlink:http://www.vupen.com/english/advisories/2006/2685

External Source: OVAL

Name: oval:org.mitre.oval:def:10332

Hyperlink:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10332

External Source: MISC

Name: http://bugs.php.net/bug.php?id=35307

Hyperlink:http://bugs.php.net/bug.php?id=35307

External Source: XF

Name: php-mbsendmail-header-injection(23270)

Hyperlink:http://xforce.iss.net/xforce/xfdb/23270

External Source: UBUNTU

Name: USN-232-1

Hyperlink:http://www.ubuntulinux.org/usn/usn-232-1/document_view

External Source: TURBO

Name: TLSA-2006-38

Hyperlink:http://www.turbolinux.com/security/2006/TLSA-2006-38.txt

External Source: SUSE

Name: SUSE-SA:2005:069

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/419504/100/0/threaded

External Source: MANDRIVA

Name: MDKSA-2005:238

Hyperlink:http://www.mandriva.com/security/advisories?name=MDKSA-2005:238

External Source: CONFIRM

Name: http://support.avaya.com/elmodocs2/security/ASA-2006-129.htm

Hyperlink:http://support.avaya.com/elmodocs2/security/ASA-2006-129.htm

External Source: SECTRACK

Name: 1015296

Hyperlink:http://securitytracker.com/id?1015296

External Source: SECUNIA

Name: 20951

Hyperlink:http://secunia.com/advisories/20951

External Source: SECUNIA

Name: 20210

Hyperlink:http://secunia.com/advisories/20210

External Source: SECUNIA

Name: 19832

Hyperlink:http://secunia.com/advisories/19832

External Source: SECUNIA

Name: 18198

Hyperlink:http://secunia.com/advisories/18198

External Source: SECUNIA

Name: 18054

Hyperlink:http://secunia.com/advisories/18054

External Source: REDHAT

Name: RHSA-2006:0276

Hyperlink:http://rhn.redhat.com/errata/RHSA-2006-0276.html

External Source: SGI

Name: 20060501-01-U

Hyperlink:ftp://patches.sgi.com/support/free/security/advisories/20060501-01-U.asc

References to Check Content

Identifier:oval:org.mitre.oval:def:10332

Check System:http://oval.mitre.org/XMLSchema/oval-definitions-5

Hyperlink:http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:10332