Skip to content

Commit

Permalink
Add OSVDB-131677 for mail ruby gem
Browse files Browse the repository at this point in the history
  • Loading branch information
reedloden committed Dec 16, 2015
1 parent 60e1554 commit 274997c
Showing 1 changed file with 24 additions and 0 deletions.
24 changes: 24 additions & 0 deletions gems/mail/OSVDB-131677.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
---
gem: mail
osvdb: 131677
url: http://www.mbsd.jp/Whitepaper/smtpi.pdf
title: Mail Gem for Ruby SMTP Injection via recipient email addresses
date: 2015-12-09

description: |
Mail Gem for Ruby is vulnerable to the recipient attack described in Takeshi
Terada's "SMTP Injection via recipient email addresses" whitepaper
(http://www.mbsd.jp/Whitepaper/smtpi.pdf), as it does not validate nor
sanitize given recipient addresses. Thus, the attacks described in the paper
can be applied to the library without any modification.
[email protected]>[CRLF]DATA[CRLF](message content)[CRLF].[CRLF]QUIT[CRLF]
The Mail library itself does not impose a length limit on email addresses,
so an attacker can send a long spam message via a recipient address unless
there is a limit on the application's side.
This vulnerability affects only applications that lack input validation.
patched_versions:
- ">= 2.6.0"

0 comments on commit 274997c

Please sign in to comment.