Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

    * Accepting the email address to send token to from web user, 
      validating the address, and then using the user input directly
      as the email address to send the token to; as in: systems that
      will send token to user@real.com;attacker@evil.com.
Ouch, that's really devious and extremely clever.


I think that might work on one of the apps I maintain.

Sigh adds to wunderlist


I'm missing something here... How does "user@real.com;attacker@evil.com" validate as "user@real.com"? Is this a regexp vs strcmp() issue or is there something more subtle at play?


One scenario I can imagine is a regex which doesn't properly handle multi-line inputs (quite common issue in ruby[1]). Together with a mail header injection vulnerability, this input could be dangerous:

  user@real.com\nCc:attacker@evil.com
[1]: http://guides.rubyonrails.org/security.html#regular-expressi...


Total speculation, but maybe they're trying to be clever and accept things like "John Doe <john@doe.com>" as being equivalent to "john@doe.com" and end up using a full e-mail parsing library for the matching which is more capable than they realize?


It may send it to multiple addresses. I know in outlook and in .NET libraries, the semicolon is the delimiter for multiple email addresses.


Might have been validated in step1, but the email goes out to the email in a hidden field in step2, etc.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: