Header Injections

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Header Injections

Post by alex.barylski »

From the Wiki:
HTTP header injection is a general class of web application security vulnerability which occurs when Hypertext Transfer Protocol (HTTP) headers are dynamically generated based on user input.
I'm not sure I get it though...why would headers ever need to be dynamically generated other than using time() to set the cache expiration, etc?

Certainly redirects are almost always hard-coded. Is this an example of an insecurity being introduced through bad design? Maybe I'm missing something about advanced header usage (admittedly I pretty much send the same headers in every project -- non-cache and redirects). Can someone give me an example as to when you might use dynamic headers so they might be exploited?

Cheers,
Alex
User avatar
arjan.top
Forum Contributor
Posts: 305
Joined: Sun Oct 14, 2007 4:36 am
Location: Hoče, Slovenia

Re: Header Injections

Post by arjan.top »

better example here are email headers
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Header Injections

Post by Mordred »

There are many valid reasons to generate dynamic headers. Most common example is link counters:

link.php?url=http://google.com

and in link.php you have

header("Location: {$_GET['url']}");

With recent (at least a year IIRC) versions of PHP, the header() function is protected internally to strip newlines.
As arjan said though, generating SMTP headers (for the mail() function) does offer the possibility for header injections.

It's kinda stupid really, as it is by design that the function allows injection, it can't be fixed like header().
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Header Injections

Post by kaisellgren »

I have also come across into an application that let the user specify his email format in a select box, there were two options: text/plain and text/html. The script never checked that the submit was indeed either of these, and allowed to insert anything to the headers.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Header Injections

Post by josh »

could also pertain to request headers
Post Reply