Page 1 of 1

email injection

Posted: Tue Nov 07, 2006 9:19 am
by rgmis
At this page I found some code to prevent email injection, which I would like to have your comments about...
So How to I Protect Against Email Header Injection Attacks?
Thankfully, protecting yourself is quite easy - probably the easiest way is for you to check the vulnerable fields for illegal content on receipt by your processing script. My approach was to write a simple function using a regular expression, thus:

Code: Select all

<?php
       function spamcheck($spammed_field) {
        $spammed_field=strtolower($spammed_field);
        if((eregi("cc: ",$spammed_field))||(eregi("subject: ",$spammed_field))) {
         $spamhost=$_SERVER['REMOTE_HOST'];
         $spamrefr=$_SERVER['HTTP_REFERER'];
         $spamaddr=$_SERVER['HTTP_X_FORWARDED_FOR'];
         if(strlen($spamaddr)<7) { $spamaddr=$_SERVER['HTTP_CLIENT_IP']; }
         if(strlen($spamaddr)<7) { $spamaddr=$_SERVER['REMOTE_ADDR']; }
         $thisfile=$_SERVER['SCRIPT_NAME'];
         $spamtext="FILE: $thisfile \nFROM: $spamrefr \nADDR: $spamaddr \nHOST: $spamhost \nINFO:\n$spammed_field\n";
         mail("spamcheck@domain.tld","ALERT: $spamaddr",$spamtext,"From: SpamCheck <spamcheck@domain.tld>\r\n");
         die();
        }
       }
      ?>
All you have to do to check the vulnerable fields is include the function and call it for each one:

Code: Select all

include('spamcheck.php');
      spamcheck($name);
      spamcheck($email);
If either 'Cc:', 'Bcc:' or 'Subject:' is found somewhere it shouldn't be, the script generates an email containing the name of the script and the spammer's IP address, sends it to spamcheck@domain.tld and promptly dies.
So my questions, about this script, to you seasoned coders are...

When I include a call to spamcheck.php in a page, and call the function to check the input on for example spamcheck($name) in a form, how does the $spammed_field in the spamcheck.php function know that $name is the $spammed_field .... I am not fluent in PHP... does the spamcheck function know that the $spammed_field is $name or would we have to specify before calling spamcheck.php that $spammed_field == $name then call spamcheck($spammed_field) ?

So basically my question is can the above spamcheck.php code be used as is by simply modifying to the exact field names of our form we want to have checked out for email injection BCC's etc, ....in this code...

Code: Select all

include('spamcheck.php');
      spamcheck($name);
      spamcheck($email);
Or do we have to explain to the spamcheck.php code that the $spammed_field == $name then call spamcheck($spammed_field), then that the next $spammed_field == $email then call spamcheck($spammed_field), etc. for every field we want to check ?

So my question is ultimately : is PHP intelligent enough to know when I call spamcheck.php that the $spammed_field is always the spamcheck($xyzfield) ??


Thanks for your help !

rgmis


PS: Also... as a second question what are your thoughts about the capacity of this code to seriously help prevent email injection ? :)

Posted: Tue Nov 07, 2006 12:50 pm
by Chris Corbyn
It seems a bit pointless to me. It does absolutely nothing unless it sees subject: or cc:... :? Whoever wrote that function really has not grasped what email header injection is all about. Heck, you can even feed newlines through that 8O