[ciapug] php mail injection attack

[David Champion]

Follow up to this: Just got back from a SANS class (545: Secure coding 
in PHP). They suggest using the suhosin hardened PHP patch, and using 
the suhosin.multiheader set to Off, which will not allow CR's in any 
http headers or email headers.

See: http://www.hardened-php.net/suhosin/

Many distros have suhosin packages available (Ubuntu and Mandriva do). 
RHEL and CentOS don't, so you get to compile php from source if you want 
to use it.

-dc

Barry Von Ahsen wrote:
> one of my contact forms was being used to spam via php mail injection, 
> I thought the group may benefit from the knowledge/solution
>
> this is the page everyone else links to about the subject:
> http://securephp.damonkohler.com/index.php/Email_Injection
>
> basically, anywhere you pass form variables to be used in the header of
> mail() [e.g. from or subject], you can pass line feeds to the form, and
> insert your own headers like so:
>
> $_POST['from'] = "spammer at scumbag.com\n bcc: unlucky1 at recipient.com,
> unlucky2 at adslfkj.com, \n lemme tell ya bout these blue pills..."
>
> anyhow, here is an easy function to sanitize your fields - it just
> strips out all line feeds from the post vars.  I'm calling it like
>
> $from = stripcrlf($_POST['from']);
> $subject = stripcrlf($_POST['subject']);
>
> %0A and %0D are \n and \r urlencoded
>
> /* ------------------------------------------- */
> function stripcrlf($string) {
> /* ------------------------------------------- */
>     return
> preg_replace("/%0A/","",preg_replace("/%0D/","",preg_replace("/\\n+/","",preg_replace("/\\r+/","",$string)))); 
>
> }
>
>
> -barry
>
>
>
>
> _______________________________________________
> ciapug mailing list
> ciapug at cialug.org
> http://cialug.org/mailman/listinfo/ciapug
>