RE: Email header injection in PHP

["Harry Metcalfe" <harry () slaptop com>]

Good point - I didn't think of that.

This problem also occurs with calls to header(), which can result in HTTP
header injection. There was an osCommerce vulnerability recently that was
caused by this.

Harry Metcalfe

> -----Original Message-----
> From: Irene Abezgauz [mailto:irene.abezgauz () gmail com]
> Sent: 09 August 2005 14:11
> To: Harry Metcalfe
> Cc: webappsec () securityfocus com
> Subject: Re: Email header injection in PHP
>
> Just wanted to add - it doesn't have to be just the mail() function
> abuse, SMTP header injection weaknesses occur in web applications, not
> necessarily the traditional way. It can exist (and indeed does) in a
> variety of homegrown applications that implement mailing mechanisms.
> Also something that needs to be noted, and watched for.
>
> Just my 2c,
>
> Irene
>
>
> On 8/9/05, Harry Metcalfe <harry () slaptop com> wrote:
> > This is not a new problem, but I recently ran afoul of it and I thought
> > someone out there might appreciate a heads-up.
> >
> > It's pretty easy for malicious users in inject headers into contact
> forms.
> > This is often used to send spam by injecting a BCC header with a long
> list
> > of email addresses. It's quite similar to the recently discovered header
> > injection flaw in oscommerce: the solution is to check for, and remove,
> any
> > line return(s) which may be present in data passed to mail() -- other
> than
> > in the message parameter, obviously.
> >
> > This can have an added annoyance: some ISPs - AOL, most notably - will
> > reject _all_ incoming mail (forever) from servers from which they have
> > previously received spam. A vulnerable form on your server can thus lead
> to
> > more problems than a little spam.
> >
> > More information here:
> > http://musingsofharry.blogspot.com/2005/08/email-header-injection-in-
> php.htm
> > l
> >
> > HTH,
> >
> > Harry Metcalfe