WebApp Sec mailing list archives
RE: Email header injection in PHP
From: "Harry Metcalfe" <harry () slaptop com>
Date: Tue, 9 Aug 2005 14:36:50 +0100
Good point - I didn't think of that. This problem also occurs with calls to header(), which can result in HTTP header injection. There was an osCommerce vulnerability recently that was caused by this. Harry Metcalfe
-----Original Message----- From: Irene Abezgauz [mailto:irene.abezgauz () gmail com] Sent: 09 August 2005 14:11 To: Harry Metcalfe Cc: webappsec () securityfocus com Subject: Re: Email header injection in PHP Just wanted to add - it doesn't have to be just the mail() function abuse, SMTP header injection weaknesses occur in web applications, not necessarily the traditional way. It can exist (and indeed does) in a variety of homegrown applications that implement mailing mechanisms. Also something that needs to be noted, and watched for. Just my 2c, Irene On 8/9/05, Harry Metcalfe <harry () slaptop com> wrote:This is not a new problem, but I recently ran afoul of it and I thought someone out there might appreciate a heads-up. It's pretty easy for malicious users in inject headers into contactforms.This is often used to send spam by injecting a BCC header with a longlistof email addresses. It's quite similar to the recently discovered header injection flaw in oscommerce: the solution is to check for, and remove,anyline return(s) which may be present in data passed to mail() -- otherthanin the message parameter, obviously. This can have an added annoyance: some ISPs - AOL, most notably - will reject _all_ incoming mail (forever) from servers from which they have previously received spam. A vulnerable form on your server can thus leadtomore problems than a little spam. More information here: http://musingsofharry.blogspot.com/2005/08/email-header-injection-in-php.html HTH, Harry Metcalfe
Current thread:
- Email header injection in PHP Harry Metcalfe (Aug 09)
- Re: Email header injection in PHP Irene Abezgauz (Aug 09)
- RE: Email header injection in PHP Harry Metcalfe (Aug 09)
- Re: Email header injection in PHP Tobias Schlitt (Aug 09)
- RE: Email header injection in PHP Eyal Udassin (Aug 09)
- Re: Email header injection in PHP Irene Abezgauz (Aug 09)