PHP mail injection

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
superdez
Forum Commoner
Posts: 33
Joined: Tue Jul 03, 2007 1:36 pm

PHP mail injection

Post by superdez »

I have read various tutorial about mail injections and I was wondering if this code is safe:

Code: Select all

if(!isset($_SERVER['HTTP_USER_AGENT'])){
exit;
}

$message .= "message input\n";
$message .= "message input\n";
$message .= "message input\n";

$headers .= "MIME-Version: 1.0\n";
$headers .= "Content-Type: text/plain; charset=\"UTF-8\"\n";
$headers .= "Content-Transfer-Encoding: 7bit\n";
$headers .= "From: myemail@mydomain.com>\n";

if((eregi("Cc", $headers)) || (eregi("Bcc", $headers))){
mail("myemail@mydomain.com", "Somebody tried to Carbon Copy", $message, "From: myemail@mydomain.com");
exit;
}

mail("myemail@mydomain.com", "You have registered successfully", $message, $headers);
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Instead of trying to roll your own email system, I would suggest using an established mailing library like Swift Mailer.
User avatar
andym01480
Forum Contributor
Posts: 390
Joined: Wed Apr 19, 2006 5:01 pm

Post by andym01480 »

That said if you were to roll your own, you are worried about the contents of $headers and $to
in

Code: Select all

mail ($to, $subject,$message, $headers)
In your example...
$to was not a variable - myemail@mydomain.com
and $headers didn't have any user inputted values, as it was defined by you.

Your code is safe because you don't seem to be using user input in the mail() function

If you had user input of email address which you were using to populate $to or to add into $headers then you would need to check that it is just a valid email address. Check for what you want, rather than looking for things you don't want!


Then test your form by trying to inject into the email header... so in the email field of a form type
"email@mydomain.com%0ACc:spam@recipient.com"
superdez
Forum Commoner
Posts: 33
Joined: Tue Jul 03, 2007 1:36 pm

Post by superdez »

feyd,

I downloaded and reviewed Swift Mailer but its quite complex and seems quite an overkill for my purpose.

---------------------------------------------------------

If myemail@mydomain.com were to be a variable such as:

Code: Select all

$email = "myemail@mydomain.com";
Would it then be possible to inject ?


How about if one of the $message was like this:

Code: Select all

$note	= $_REQUEST["note"];
$message .= "$note\n";
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

It's not complex nor overkill. The documentation put together by Chris is quite thorough and if you run into problems we have an entire forum dedicated to its support. Since Chris is a regular here, you shouldn't have a problem getting help from him, although not privately.
User avatar
andym01480
Forum Contributor
Posts: 390
Joined: Wed Apr 19, 2006 5:01 pm

Post by andym01480 »

In answer to your first question

Code: Select all

$email = "myemail@mydomain.com";
is a variable set by you not a web page user, so
cannot be "injected" to unless you then allow user input to inject to it.
i.e.

Code: Select all

$email.=$_POST['some_form_variable'];
The mail injection problem is about "header injection". Not sure you have understood the tutorials you have read! Try http://www.securephpwiki.com/index.php/Email_Injection

The vulnerability is where you have outside input from $_GET,$_POST,$_REQUEST that will be used in the to or header part of mail()

The vulnerability of your code fragment

Code: Select all

$note = $_REQUEST["note"];
$message .= "$note\n";
is not spam messages getting sent to the whole world. But nasty stuff getting sent to the intended recipient. Dodgy hyperlinks, Some naughty javascript etc.

Code: Select all

htmlentities()
would stop naughty html code working in what your receive.

Swiftmail from what I understand protects you!
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

superdez wrote:I downloaded and reviewed Swift Mailer but its quite complex and seems quite an overkill for my purpose.
It only takes a basic understanding of object-oriented programming to start using SwiftMailer. It's very well put together and does a lot of things for you without you needing to explicitly tell it to do so.
Post Reply