Drupal module open to spammers
An update for the optional Form_Mail module in the Drupal CMS is intended to prevent attackers from using the system as a platform for spam. According to the developers, the module does not filter out line feeds and carriage returns from email headers, so that it may even be possible to manipulate the headers of outgoing emails. The flaw has been remedied in version 4.6.0. According to the security announcement, the problem does not affect Drupal core. In earlier versions, however, the email header could also be manipulated by means of holes in the core.
- Form_mail module allows arbitrary header injection, security announcement at Drupal.org
(ehe)