Page 1 of 1
PHP mail injection
Posted: Thu Dec 13, 2007 3:14 pm
by superdez
I have read various tutorial about mail injections and I was wondering if this code is safe:
Code: Select all
if(!isset($_SERVER['HTTP_USER_AGENT'])){
exit;
}
$message .= "message input\n";
$message .= "message input\n";
$message .= "message input\n";
$headers .= "MIME-Version: 1.0\n";
$headers .= "Content-Type: text/plain; charset=\"UTF-8\"\n";
$headers .= "Content-Transfer-Encoding: 7bit\n";
$headers .= "From: myemail@mydomain.com>\n";
if((eregi("Cc", $headers)) || (eregi("Bcc", $headers))){
mail("myemail@mydomain.com", "Somebody tried to Carbon Copy", $message, "From: myemail@mydomain.com");
exit;
}
mail("myemail@mydomain.com", "You have registered successfully", $message, $headers);
Posted: Thu Dec 13, 2007 3:28 pm
by feyd
Instead of trying to roll your own email system, I would suggest using an established mailing library like Swift Mailer.
Posted: Thu Dec 13, 2007 5:09 pm
by andym01480
That said if you were to roll your own, you are worried about the contents of $headers and $to
in
Code: Select all
mail ($to, $subject,$message, $headers)
In your example...
$to was not a variable -
myemail@mydomain.com
and $headers didn't have any user inputted values, as it was defined by you.
Your code is safe because you don't seem to be using user input in the mail() function
If you had user input of email address which you were using to populate $to or to add into $headers then you would need to check that it is just a valid email address. Check for what you want, rather than looking for things you don't want!
Then test your form by trying to inject into the email header... so in the email field of a form type
"
email@mydomain.com%0ACc:
spam@recipient.com"
Posted: Fri Dec 14, 2007 4:06 am
by superdez
feyd,
I downloaded and reviewed Swift Mailer but its quite complex and seems quite an overkill for my purpose.
---------------------------------------------------------
If
myemail@mydomain.com were to be a variable such as:
Would it then be possible to inject ?
How about if one of the $message was like this:
Code: Select all
$note = $_REQUEST["note"];
$message .= "$note\n";
Posted: Fri Dec 14, 2007 8:09 am
by feyd
It's not complex nor overkill. The documentation put together by Chris is quite thorough and if you run into problems we have an entire forum dedicated to its support. Since Chris is a regular here, you shouldn't have a problem getting help from him, although not privately.
Posted: Sat Dec 15, 2007 4:49 pm
by andym01480
In answer to your first question
is a variable set by you not a web page user, so
cannot be "injected" to unless you then allow user input to inject to it.
i.e.
Code: Select all
$email.=$_POST['some_form_variable'];
The mail injection problem is about "header injection". Not sure you have understood the tutorials you have read! Try
http://www.securephpwiki.com/index.php/Email_Injection
The vulnerability is where you have outside input from $_GET,$_POST,$_REQUEST that will be used in the to or header part of mail()
The vulnerability of your code fragment
Code: Select all
$note = $_REQUEST["note"];
$message .= "$note\n";
is not spam messages getting sent to the whole world. But nasty stuff getting sent to the intended recipient. Dodgy hyperlinks, Some naughty javascript etc.
would stop naughty html code working in what your receive.
Swiftmail from what I understand protects you!
Posted: Sat Dec 15, 2007 5:31 pm
by superdezign
superdez wrote:I downloaded and reviewed Swift Mailer but its quite complex and seems quite an overkill for my purpose.
It only takes a basic understanding of object-oriented programming to start using SwiftMailer. It's very well put together and does a lot of things for you without you needing to explicitly tell it to do so.