Opened 3 years ago

Closed 3 years ago

#1331 closed defect (invalid)

HYPERLINK INJECTION/EMAIL INJECTION

Reported by: orthonviper@… Owned by:
Priority: major Milestone:
Component: other Version: 1.10.x
Keywords: BUG Cc:
uname -a: orthonviper@gmail.com
nginx -V: 1.10.3

Description

Hello@team,

Nginx is such a trusted website.It is famous for the security nginx is providing the customers.But there is a bug in the signup form where attacker can inject malicious links(html)and effect any user whim they targeted through email id.This results in the bad reputation to the company.

BUG DESCRIPTION:
Email injection is a security vulnerability that can occur in Internet applications that are used to send email messages. It is the email equivalent of HTTP Header Injection.

Steps to reproduce:
1.go to url : https://www.nginx.com
2.now click on free trial
3.fill up the sign up form b giving first names with malicious link or html code,
example :
--> go to this link https://example.com
--> <a href="bf.am">click here for pass</a>

4.now give the victims email id and submit the form
5.the victim will get mails from NGINX with malicious link injected

Kindly find the attached images for better understanding.

Attachments (2)

Screenshot (2801).png (219.5 KB ) - added by orthonviper@… 3 years ago.
Screenshot (2800).png (252.9 KB ) - added by orthonviper@… 3 years ago.

Download all attachments as: .zip

Change History (3)

by orthonviper@…, 3 years ago

Attachment: Screenshot (2801).png added

by orthonviper@…, 3 years ago

Attachment: Screenshot (2800).png added

comment:1 by Valentin V. Bartenev, 3 years ago

Resolution: invalid
sensitive: 01
Status: newclosed

Thank you for your report. It was passed to the person who is responsible for nginx.com website.

I'm closing this ticket with "invalid" resolution since this bug-tracker is intended only for tracking open-source nginx and related resources.

Note: See TracTickets for help on using tickets.