[ciapug] php mail injection attack
Barry Von Ahsen
barry at vonahsen.com
Mon Dec 12 15:29:15 CST 2005
one of my contact forms was being used to spam via php mail injection, I
thought the group may benefit from the knowledge/solution
this is the page everyone else links to about the subject:
http://securephp.damonkohler.com/index.php/Email_Injection
basically, anywhere you pass form variables to be used in the header of
mail() [e.g. from or subject], you can pass line feeds to the form, and
insert your own headers like so:
$_POST['from'] = "spammer at scumbag.com\n bcc: unlucky1 at recipient.com,
unlucky2 at adslfkj.com, \n lemme tell ya bout these blue pills..."
anyhow, here is an easy function to sanitize your fields - it just
strips out all line feeds from the post vars. I'm calling it like
$from = stripcrlf($_POST['from']);
$subject = stripcrlf($_POST['subject']);
%0A and %0D are \n and \r urlencoded
/* ------------------------------------------- */
function stripcrlf($string) {
/* ------------------------------------------- */
return
preg_replace("/%0A/","",preg_replace("/%0D/","",preg_replace("/\\n+/","",preg_replace("/\\r+/","",$string))));
}
-barry
More information about the ciapug
mailing list