Page 1 of 1

Header injections??

Posted: Fri Jul 11, 2008 1:03 pm
by Martin.h
I got the following swiftmailer script running on a contact page:

Code: Select all

 
require_once "lib/Swift.php";
require_once "lib/Swift/Connection/NativeMail.php"; //There are various connections to use
 
$swift =& new Swift(new Swift_Connection_NativeMail());
 
$message =& new Swift_Message("Vraag van henridoorten.nl"); 
$message->attach(new Swift_Message_Part("Naam: " . $_POST['naam'] . "
Emailadres: ". $_POST['emailadres'] . "
Telefoonnummer: ".$_POST['telefoon']. "
Vraag: ".$_POST['bericht'] ));
 
$succes = $swift->send($message, new Swift_Address("info@henridoorten.nl"), new Swift_Address($_POST['emailadres'], $_POST['naam']));
 
 
I was under impression that this was a secure script, which is not vulnerable to header injections. The only problem is that I sometimes get load of 'return to sender' emails form header injections in my site. Here is an example of a return message:

Code: Select all

Received: from rmztgkz.telecomitalia.it (host199-2-static.34-79-b.business.telecomitalia.it [79.34.2.199])
    by hknpx2.hknet.com (Postfix) with SMTP id E3E4F3803C
    for <buffjt@hknet.com>; Sat, 12 Jul 2008 01:48:47 +0800 (HKT)
Date: Fri, 11 Jul 2008 17:48:50 +0000
From: "Desnoyers Treichler" <ilion@henridoorten.nl>
X-Mailer: The Bat! (3.62.2) Professional
Reply-To: Desnoyers Treichler <ilion@henridoorten.nl>
X-Priority: 3 (Normal)
Message-ID: <3530795598.20080711171824@henridoorten.nl>
To: <buffjt@hknet.com>
Subject: :)
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="----------7E0B9850DC8C7E"
 
------------7E0B9850DC8C7E
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
 
Hi,=09
=09
How To Get Any Womaan Into Bed? Try ...
http://qio.gcoohoepg.cn  =20
 =20
I come hither obedient to thee. Subject as i am filled with
wrath, pierced bhima with nine broadheaded and ordeined,
as those were of the ordinarie maine the foremost carwarriors
among the pandavas became pandava, that mighty armed one,
with the view and then started for the mountains of himavat.
loss of the vedas, o supreme lord, righteousness conduct
by which a king succeeds in aggrandising towardes northe,
leavyng the space of lxxv. Yardes should disembark to cross
the hills or to pursue their riders and lying all about
with the standards yudhisthira and bhima plunged in misery,
arjuna in the pursuit of morality, profit, and pleasure,
but like the jantleman the better for it anyhow. Vacillating,
but now impelled into a firmer courage they could see some
of the peaks of the himalayas, a little brook crossed it,
flowing between mossy taking up another bow, and putting
forth his prowess to die, hath gone away at thy behest.
what can race! Then the ruler of men took separately each.
 
------------7E0B9850DC8C7E
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">=09
   <html> <head>   <title></title>=20
<META http-equiv=3DContent-Type content=3D"text/html; charset=3D"iso-8859-1=
">
</head>
<body>=09
 
<p>Hi,<a name=3D"#qpqw">  </a></p><span></span>
<strong></strong><br><span name=3D"#pwqp">   </span>How To Get Any Womaan I=
nto Bed? Try our...<br><br><table cellspacing=3D"8" width=3D"189" cellpaddi=
ng=3D"1" border=3D"2">
 
<tr>
<td valign=3D"top" bgcolor=3D"#F0BCCD" align=3D"right" bordercolor=3D"#C18F=
3D" nowrap=3D"nowrap">  V</td>
 <td align=3D"center" nowrap=3D"nowrap" bgcolor=3D"#BCF0E1">   <font color=
=3D"#BCF0E1">t</font><i>I</i></td>
=09<td bgcolor=3D"#EFBCF0" bordercolor=3D"#F4611C" valign=3D"baseline"><b>A=
</b>=09</td>
   <td valign=3D"top" align=3D"left" bgcolor=3D"#BCF0C5">G<font color=3D"#B=
BF0C5">z</font></td>
<td align=3D"right" bgcolor=3D"#BCF0ED" valign=3D"top" nowrap=3D"nowrap" bo=
rdercolor=3D"#956714"> <b>R</b>  </td>
<td align=3D"center" bordercolor=3D"#A32DBA" bgcolor=3D"#BCF0E0" valign=3D"=
top">  <font color=3D"#BBF0E0">0</font><strong>A</strong>
</td>
</tr>
 </table>
  <br>
<span>=09</span><a href=3D"http://qio.gcoohoepg.cn">
Click here</a><a name=3D"#rppp"></a><br><span name=3D"#pwpw">=09</span><p><=
a name=3D"#tqqt">  </a></p><span></span>
<p><br>I come hither obedient to thee. Subject as i am filled with<br> wrat=
h, pierced bhima with nine broadheaded and ordeined,<br> as those were of t=
he ordinarie maine the foremost carwarriors<br> among the pandavas became p=
andava, that mighty armed one,<br> with the view and then started for the m=
ountains of himavat.<br> loss of the vedas, o supreme lord, righteousness c=
onduct<br> by which a king succeeds in aggrandising towardes northe,<br> le=
avyng the space of lxxv. Yardes should disembark to cross<br> the hills or =
to pursue their riders and lying all about<br> with the standards yudhisthi=
ra and bhima plunged in misery,<br> arjuna in the pursuit of morality, prof=
it, and pleasure,<br> but like the jantleman the better for it anyhow. Vaci=
llating,<br> but now impelled into a firmer courage they could see some<br>=
 of the peaks of the himalayas, a little brook crossed it,<br> flowing betw=
een mossy taking up another bow, and putting<br> forth his prowess to die, =
hath gone away at thy behest.<br> what can race! Then the ruler of men took=
 separately each.</p>
</body></html>
------------7E0B9850DC8C7E--
 
Does anyone had any idea what I am doing wrong?

Re: Header injections??

Posted: Sat Jul 12, 2008 4:42 pm
by steakpie
Not yet beinf a Swiftmailer pro, I am unable to make any claims about its sucurity, but I will suggest you not to trust ANYTHING!!!

Before passing your details to swift, It would not do any harm to do some validating and cleansing of any submitted data.

Try adding this to your function file or any other file that Is called at the top of each page ...

Code: Select all

 
<?
## clean_gpc()
## Seen as this file is called at the top of every page, lets clean all GPC & R data
function clean_gpc($str){
    if( !get_magic_quotes_gpc() ){ $var = addslashes($str); } 
    $str = strip_tags($str);
    $str = htmlspecialchars($str, ENT_QUOTES, 'UTF-8');
    $str = trim($str);
    return $str;#1 shiny new string!
}
## Cleanse any GPC data now and its done ...
foreach( $_GET as $name=>$value ){ $_GET[$name] = clean_gpc($value); }
foreach( $_POST as $name=>$value ){ $_POST[$name] = clean_gpc($value); }
foreach( $_COOKIE as $name=>$value ){ $_COOKIE[$name] = clean_gpc($value); }
foreach( $_REQUEST as $name=>$value ){ $_REQUEST[$name] = clean_gpc($value); }
# END clean_gpc() and its allies!
?>
 
Then to get find any email nasties ...

Code: Select all

 
<?
## check_email_headers()
## Searches for email nasties !!
function check_email_headers($str=""){
    $str = strtolower($str);# Everything may be lwrcase, but its a comprimise I am fine with!!!
    # An Array Of Unwanted's ...
    $email_nasties = array(
        # Line breaks and feeds 
        "\r","\n","<br>","<br />","<br/>","%0a","%0d",
        # Content type, types!
        "content-type:", "content-transfer-encoding:","mime-version:",
        # bcc, to ...
        "cc:","bcc:","to:","from:","subject:",
        # JS nasties ...
        "document.cookie", "document.write", "onclick", "onload"
    );
    if( preg_match($email_nasties, $str) ){ attk_alert(1,"Email Injection Attempt"); }
    # If there is any dodgy data, remove it before proceding ...
    nasty_stripper($str);
    return $str;
}// END check_email_headers()
?>
 
Having not sniffed around Swifts methods too much, I am unsure as to what validating and cleasning is done, plus, If i have not written the scripts, I will not truly trust them till I have read the source and truly understand every aspect. Adding your own validating and cleaning process's also gives you the extra layer of security[1]

Hope this helps :)


[1]lol, HTTP was secure till we decided we needed scripts, images, videos and all the stuff a stateless protocol was not designed for!!!

Re: Header injections??

Posted: Sun Jul 13, 2008 4:06 am
by Chris Corbyn
How do you know these are header injection attacks, and not somebody simply using your email address as a return-path? The latter is extremely common and results in all bounces coming to your inbox instead of the spammer's inbox.

It's not possible to perform a header-injection attack using Swift Mailer, but if you find a security hole and can replicate it then I would definitely fix it asap.

Re: Header injections??

Posted: Fri Jul 18, 2008 1:05 pm
by Martin.h
Together with my webhoster, we investigated the emails. It seem to be bounce spam and not a header injection. Sorry for the false alert. Swiftmailer is not to blame!