MOPB-33-2007:PHP mail() Message ASCIIZ Byte Truncation

Summary

When the mail() function is called with a message that contains an ASCIIZ byte it considers it the end of the message. PHP applications not filtering ASCIIZ strings from user input before embedding it into the message are therefore vulnerable to arbitrary email truncation.
Affected versions

Affected are PHP 4 <= 4.4.6 and PHP 5 <= 5.2.1
Detailed information

Web applications sending email with PHP's mail() function often craft the email message with a construct like this.

$message = "Dear ".$_GET['name'];
$message .= "you have successfully …";

In this example the name is inserted into the email message without further checks. It is obvious that this allows adding a textblock to the email message that is completely under control of the person injecting it. However under normal circumstances the manipulation is obvious, because the original text stays appended to the mail.

Unfortunately mail() internally handles the message as a ASCIIZ terminated string and therefore it is possible for an attacker to truncate the text after the inserted text by simply embedding a ASCIIZ character.
Proof of concept, exploit or instructions to reproduce

A simple test for this vulnerability is the following PHP script:

<?php
mail("test@domain(dot)com", "Truncation Test", "You will see this message\0but not this");
?>

Notes

In articles about email injection one usually only reads about header injection in the additional header parameter but not about this ASCIIZ byte injection that often allows completely replacing the email body with something else and then truncating the end.