\\r\nBcc:email1@somewhere.com,email2@somewhere.com\r\nCc:email3@elsewhere.com
into my "reply to" input field (I do some basic checks on that field, but nothing overboard) However, in my own testing of my script I was unable to get this idea to work.. however it does seem possible, and I wonder under what conditions can such an attack actually work??
My feedback form is here: http://www.crazybri.net/feedback.php
my code: (note all instances of @ have been replaced with AT for purposes of this post... Im not interested in being picked up by more spamspiders
Code: Select all
<?php
//code is free to use such as it is
include('config.php');
$email = "";
$src = $_GET['from'];
$user = $_GET['user'];
if(!empty($_POST))
{
$action = $_POST['action'];
$uid = $_POST['id'];
$uid = intval($uid);
$reply_to = $_POST['sender'];
$raw_input = $_POST['message'];
//trim message to 450 check reply_to for an @ if none put noreply AT crazybri.net
if(!strpos($reply_to,"@"))
{
$reply_to = 'noreplyATcrazybri.net';
}
$message = substr("$raw_input",0,450);
$message = str_replace("chr(","",$message);//keeps idiots from sending chr(0), etc- it just breaks it
$reply = str_replace("chr(","",$reply_to);
if($action == "news")
{
//note this section is only because I link my news feedback page to this feedback form
//just a rough hack
$nlink = mysql_connect('localhost','tuser','pass');
mysql_select_db('dbname');
$query = mysql_query("SELECT email FROM unp_user WHERE userid = '$uid' LIMIT 1",$nlink);
$data = mysql_fetch_array($query);
$email = $data['email'];
send_email($action,$email,$reply,$message);
}
else
{
send_email("basic","bri AT crazybri.net",$reply,$message);
}
header("Location: index.php");
}
$smarty->assign('src',$src);
$smarty->assign('id',$user);
$smarty->assign('title',$title);
$title2 = "CrazyBri Feedback Form- Send feedback or email to selected users";
$smarty->assign("title2",$title2);
include_once("header.php");
$smarty->display('feedback.tpl');
$file=('Feedback');
include_once('footer.php');
$email = "";
function send_email($action,$email,$reply,$message)
{
mail( $email, "$action Feedback Form Results", $message, "From: $reply<$reply>" );
}
?>My own attempt to inject email results in a feedback email *to* me (I hard code the send to, mind you, it isnt a variable)
Code: Select all
From - Wed Nov 23 09:04:03 2005
X-Account-Key: account3
X-UIDL: 914d4d4736204d7c0b12d9b3642a725c
X-Mozilla-Status: 0201
X-Mozilla-Status2: 00000000
Return-path: <nobody AT server1.controlhosting.net>
Envelope-to: bri AT crazybri.net
Delivery-date: Wed, 23 Nov 2005 09:03:49 -0500
Received: from nobody by server1.controlhosting.net with local (Exim 4.52)
id 1EevDx-0002uH-D0
for briATcrazybri.net; Wed, 23 Nov 2005 09:03:49 -0500
To: bri AT crazybri.net
Subject: basic Feedback Form Results
From: helloATcrazybri.net\\r\\nBcc:salesATcrazybri.net,rubberATcrazybri.net<helloATcrazybri.net\\r\\nBcc:salesATcrazybri.net,rubberATcrazybri.net>
Message-Id: <E1EevDx-0002uH-D0ATserver1.controlhosting.net>
Date: Wed, 23 Nov 2005 09:03:49 -0500
Hacker testing see if I can \\r\\nBcc:bodyATcrazybri.net\\r\\n inject some spam into the feedback form