WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Email header injection in PHP

From: "Eyal Udassin" <eyal () swiftcoders com>
Date: Tue, 9 Aug 2005 21:22:03 +0200
Hi Harry,

Sorry for the late reply. Getting over a nasty jet-lag...

Information about this type of vulnerability is out there for quite a while,
see: http://www.ngssoftware.com/papers/aspmail.pdf

This obviously affects all SMTP and MIME objects that were written without
CRLF insertion in mind. This technique can also be projected to HTTP, see
references to "HTTP response splitting".
 
Regards,
Eyal Udassin - Swift Coders
POB 1596 Ramat Hasharon, 47114
972+547-684989
eyal () swiftcoders com


-----Original Message-----
From: Harry Metcalfe [mailto:harry () slaptop com] 
Sent: Tuesday, August 09, 2005 12:31 AM
To: webappsec () securityfocus com
Subject: Email header injection in PHP


This is not a new problem, but I recently ran afoul of it and I thought
someone out there might appreciate a heads-up.

It's pretty easy for malicious users in inject headers into contact forms.
This is often used to send spam by injecting a BCC header with a long list
of email addresses. It's quite similar to the recently discovered header
injection flaw in oscommerce: the solution is to check for, and remove, any
line return(s) which may be present in data passed to mail() -- other than
in the message parameter, obviously.

This can have an added annoyance: some ISPs - AOL, most notably - will
reject _all_ incoming mail (forever) from servers from which they have
previously received spam. A vulnerable form on your server can thus lead to
more problems than a little spam.

More information here:
http://musingsofharry.blogspot.com/2005/08/email-header-injection-in-php.htm
l

HTH,

Harry Metcalfe
Previous By Date Next
Previous By Thread Next

Current thread: