WebApp Sec mailing list archives
RE: Email header injection in PHP
From: "Eyal Udassin" <eyal () swiftcoders com>
Date: Tue, 9 Aug 2005 21:22:03 +0200
Hi Harry, Sorry for the late reply. Getting over a nasty jet-lag... Information about this type of vulnerability is out there for quite a while, see: http://www.ngssoftware.com/papers/aspmail.pdf This obviously affects all SMTP and MIME objects that were written without CRLF insertion in mind. This technique can also be projected to HTTP, see references to "HTTP response splitting". Regards, Eyal Udassin - Swift Coders POB 1596 Ramat Hasharon, 47114 972+547-684989 eyal () swiftcoders com -----Original Message----- From: Harry Metcalfe [mailto:harry () slaptop com] Sent: Tuesday, August 09, 2005 12:31 AM To: webappsec () securityfocus com Subject: Email header injection in PHP This is not a new problem, but I recently ran afoul of it and I thought someone out there might appreciate a heads-up. It's pretty easy for malicious users in inject headers into contact forms. This is often used to send spam by injecting a BCC header with a long list of email addresses. It's quite similar to the recently discovered header injection flaw in oscommerce: the solution is to check for, and remove, any line return(s) which may be present in data passed to mail() -- other than in the message parameter, obviously. This can have an added annoyance: some ISPs - AOL, most notably - will reject _all_ incoming mail (forever) from servers from which they have previously received spam. A vulnerable form on your server can thus lead to more problems than a little spam. More information here: http://musingsofharry.blogspot.com/2005/08/email-header-injection-in-php.htm l HTH, Harry Metcalfe
Current thread:
- Email header injection in PHP Harry Metcalfe (Aug 09)
- Re: Email header injection in PHP Irene Abezgauz (Aug 09)
- RE: Email header injection in PHP Harry Metcalfe (Aug 09)
- Re: Email header injection in PHP Tobias Schlitt (Aug 09)
- RE: Email header injection in PHP Eyal Udassin (Aug 09)
- Re: Email header injection in PHP Irene Abezgauz (Aug 09)