WebApp Sec mailing list archives

Re: Email header injection in PHP

From: Tobias Schlitt <tobias () schlitt info>
Date: Tue, 09 Aug 2005 18:38:41 +0200

Hi Harry Metcalfe!
On 08/09/05 00:30 you wrote:

It's pretty easy for malicious users in inject headers into contact forms.
This is often used to send spam by injecting a BCC header with a long list
of email addresses. It's quite similar to the recently discovered header
injection flaw in oscommerce: the solution is to check for, and remove, any
line return(s) which may be present in data passed to mail() -- other than
in the message parameter, obviously.


Actually this is not a PHP related problem, but may occur in every type
of web application which utilizes user input to send mail.

Regards,
Toby
-- 
Tobias Schlitt - Zend Certified Engineer         GPG Key: 0xA6529579
a passion for php                            http://www.schlitt.info
Like to say "thank you"?    -  http://pear.php.net/wishlist.php/toby

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

Email header injection in PHP Harry Metcalfe (Aug 09)
- Re: Email header injection in PHP Irene Abezgauz (Aug 09)
  - RE: Email header injection in PHP Harry Metcalfe (Aug 09)
- Re: Email header injection in PHP Tobias Schlitt (Aug 09)
- RE: Email header injection in PHP Eyal Udassin (Aug 09)