Improve the domain check of the built in mail form

Discussions and requests related to new CMSimple features, plugins, templates etc. and how to develop.
Please don't ask for support at this forums!
Post Reply
cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Improve the domain check of the built in mail form

Post by cmb » Thu Feb 05, 2015 12:09 am

Hello Community,

inspired by the recent hype regarding the GHOST vulnerability, I had a closer look at our mail form. Indeed, that might allow an exploit for the GHOST vulnerability, if PHP uses an underlying vulnerable getbyhostname(). However, I assume that many servers are not vulnerable to GHOST, and those that are may well have even severe vulnerabilities. Some evidence may be that it has gotten quite silent regarding GHOST on the web, if I'm not mistaken. Anyhow, I don't consider this something that CMSimple_XH should take care for -- a patch should be applied to glibc.

Nonetheless I suggest the following patch for XH 1.6.6:

Code: Select all

Index: cmsimple/classes/Mailform.php
===================================================================
--- cmsimple/classes/Mailform.php	(revision 1480)
+++ cmsimple/classes/Mailform.php	(working copy)
@@ -445,7 +445,9 @@
                 ? idn_to_ascii($domain, 0, INTL_IDNA_VARIANT_UTS46)
                 : idn_to_ascii($domain);
         }
-        if (gethostbyname($domain) == $domain) {
+        if ($domain
+            && (strlen($domain) > 255 || gethostbyname($domain) == $domain)
+        ) {
             return false;
         }
         return true;
My reasoning is that domain names are restricted to at most 255 octets anyway, and we don't have to bother the DNS for invalid domain names. The check for $domain is necessary because idn_to_ascii() may return `false`. If it does so, we don't have to call getbyhostname().

Users running CMSimple_XH on a server vulnerable to GHOST should ask their provider to install a patch. Otherwise you could apply the patch. For those not accustomed to patches: just remove the line with a minus sign at the beginning, and insert the lines with a plus sign (but without the plus sign!).
Christoph M. Becker – Plugins for CMSimple_XH

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: Improve the domain check of the built in mail form

Post by cmb » Mon Jun 15, 2015 5:06 pm

Done (r1636, r1638).
Christoph M. Becker – Plugins for CMSimple_XH

Post Reply