| Subject: | Find a bug in mail-spf |
| Date: | Sun, 3 May 2020 12:37:50 +0800 |
| To: | bug-Mail-SPF [...] rt.cpan.org |
| From: | 赵宇轩 <nsczyx [...] gmail.com> |
Hi, I found a bug in Mail-SPF. The details are as follows:
When I structure an abnormal mail-from address such as “admin@gmail.com@
163.com” and I input the correct ip of domain:163.com txt record.Mail-SPF
will give the pass result.
# perl spfquery --mfrom "admin@hacker.web@163.com" --ip-address
123.58.177.2
pass
I have read the relevant code of regular
expression(/lib/Mail/SPF/Request.pm:line265), and I have found it has a
mistake.This way of writing will only match the character after the last
‘@’ character as a domain name.
What's worse, when a hacker use character truncation bug of email
system(actually in many web-mail providers and clinet-mail providers) and
structure mail-from like “admin@gmail.com/xff@hacker.com” which hacer.com
domain is under the control of hacker. In this time, spf procotol will pass
and victim will have admin@gmail.com in visible.
For example: in outlook-client.
By the way,the version of Mail-SPF is v2.9.0 and the version of Perl is
v5.18.4.