WebApp Sec mailing list archives
Email header injection in PHP
From: "Harry Metcalfe" <harry () slaptop com>
Date: Mon, 8 Aug 2005 23:30:52 +0100
This is not a new problem, but I recently ran afoul of it and I thought someone out there might appreciate a heads-up. It's pretty easy for malicious users in inject headers into contact forms. This is often used to send spam by injecting a BCC header with a long list of email addresses. It's quite similar to the recently discovered header injection flaw in oscommerce: the solution is to check for, and remove, any line return(s) which may be present in data passed to mail() -- other than in the message parameter, obviously. This can have an added annoyance: some ISPs - AOL, most notably - will reject _all_ incoming mail (forever) from servers from which they have previously received spam. A vulnerable form on your server can thus lead to more problems than a little spam. More information here: http://musingsofharry.blogspot.com/2005/08/email-header-injection-in-php.htm l HTH, Harry Metcalfe
Current thread:
- Email header injection in PHP Harry Metcalfe (Aug 09)
- Re: Email header injection in PHP Irene Abezgauz (Aug 09)
- RE: Email header injection in PHP Harry Metcalfe (Aug 09)
- Re: Email header injection in PHP Tobias Schlitt (Aug 09)
- RE: Email header injection in PHP Eyal Udassin (Aug 09)
- Re: Email header injection in PHP Irene Abezgauz (Aug 09)