Re: Email header injection in PHP

[Irene Abezgauz <irene.abezgauz () gmail com>]

Just wanted to add - it doesn't have to be just the mail() function
abuse, SMTP header injection weaknesses occur in web applications, not
necessarily the traditional way. It can exist (and indeed does) in a
variety of homegrown applications that implement mailing mechanisms.
Also something that needs to be noted, and watched for.

Just my 2c,

Irene


On 8/9/05, Harry Metcalfe <harry () slaptop com> wrote:
> This is not a new problem, but I recently ran afoul of it and I thought
> someone out there might appreciate a heads-up.
>
> It's pretty easy for malicious users in inject headers into contact forms.
> This is often used to send spam by injecting a BCC header with a long list
> of email addresses. It's quite similar to the recently discovered header
> injection flaw in oscommerce: the solution is to check for, and remove, any
> line return(s) which may be present in data passed to mail() -- other than
> in the message parameter, obviously.
>
> This can have an added annoyance: some ISPs - AOL, most notably - will
> reject _all_ incoming mail (forever) from servers from which they have
> previously received spam. A vulnerable form on your server can thus lead to
> more problems than a little spam.
>
> More information here:
> http://musingsofharry.blogspot.com/2005/08/email-header-injection-in-php.htm
> l
>
> HTH,
>
> Harry Metcalfe