Sublime directory Surf the web anonymous Pagerank Monitor

Email header injections

GiorgosK
Thu 7 June 2007, 12:22 pm GMT +0200
I have implemented a check for email header injection in my contact forms I create for clients
but I am not 100% sure I am actually doing it right,

I check to see if there is a "cc:" and "bcc:" string injected in any of my form fields
and if there is I don't send the email (and I actually put a deny rule in the htaccess so they can't try anything else)

I was reading http://www.securephpwiki.com/index.php/Email_Injection
and realized that subject: can also be injected
but since I am checking for cc and bcc I  think I am safe ?
since a spammer will specify one of the two (most probably bcc)

Is there any other way that the could use my email to send spam ?

Thanks
Nikolas
Thu 7 June 2007, 12:34 pm GMT +0200
I think those are enough.

The only extra thing that someone could do is use the body (I think) to attach a virus file, but I guess this is not something too common :)
olaf
Thu 7 June 2007, 04:11 pm GMT +0200
You need to check all formfields which belong into the mail header (check the mail message you send via the form.

1. validate email addresses (if available and used as from:)
2. check all the (header) fields with:

$email preg_replace("/\r\n/"""$_REQUEST['email']);
?>
GiorgosK
Fri 8 June 2007, 05:13 pm GMT +0200
I am not sure exactly what you are saying Olaf,

I am checking all form fields,
if I see a bcc or cc in them it means someone is trying to attack my mail form
then I don't send email, and I also put a "deny ip" in my htaccess so the attacker does not try anything else

wouldn't that be enough ? you say
olaf
Sat 9 June 2007, 07:58 am GMT +0200
as your forum subject says only the headers must be protected.
the email address need to because multiple entries need to be validated too

all other form fields which are placed the mail header need that check above.
GiorgosK
Sat 9 June 2007, 05:21 pm GMT +0200
I guess what confuses me is the reasoning behind this:

$email = preg_replace("/\r\n/", "", $_REQUEST['email']);

what does it do ?

It strips away carriage returns/line feeds right ?

what does that accomplish ?

You destroy all the line feeds and the mail() can't function properly ?
(since ALL the headers MUST be seperated with with line feeds)
olaf
Sat 9 June 2007, 06:29 pm GMT +0200
Quote from: GiorgosK on Jun 09, 2007, 05:21:22 pm
I guess what confuses me is the reasoning behind this:

$email = preg_replace("/\r\n/", "", $_REQUEST['email']);

what does it do ?

It strips away carriage returns/line feeds right ?

what does that accomplish ?

You destroy all the line feeds and the mail() can't function properly ?
(since ALL the headers MUST be seperated with with line feeds)


you remove only the line feeds submitted via the form
Archive for SMF v1.00 by N.P. Valid XHTML 1.0 Transitional