How to avoid PHP Email Injection Hack#

An email injection hack occurs when a email form allows a hacker to add CC and/or BCC email addresses to the header of the email. This can occur if a form simply adds the from address field of a form to the header parameter of the mail function.

e.g.

$header="From: xxx@xxx.com" ;

Could be replaced with

$header="From: xxx@xxx.com\r\nBCC: xxx@xxx.com\r\nBCC: xxx@xxx.com\r\nBCC: xxx@xxx.com" ;

The $from variable below may be assigned the form parameter. You can see below that if a hacker added \r\nBCC: xxx@xxx.com\r\nBCC: xxx@xxx.com\r\nBCC: xxx@xxx.com" to the $from valiable, the email would be sent to all the email addresses.

$email  = trim($_POST['email']);
$headers  = "From: $from\r\n";
$headers .= "Content-type: text/html";
mail($to, $subject, $message, $headers);

The solution is to strip out any \r\n characters in code using the code below:

$email  = trim($_POST['email']);

#ADD THIS LINE TO STRIP OUT ALL \r\n characters
$from = preg_replace('/[\n|\r].*/', '', $from);

$headers  = "From: $from\r\n";
$headers .= "Content-type: text/html";
mail($to, $subject, $message, $headers);

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-1) was last changed on 24-May-2017 15:30 by UnknownAuthor
G’day (anonymous guest) My Prefs
  • View Page Source
  • This clear IPSec security association,
    clear ipsec sa peer X.X.X.X
    

All Pages

Page views: 1513

Private Tomcat

Linux

MySQL

Email

SQL Server

ASP

JSP

C#

Web Mail

Windows Plesk

Linux Plesk

PHP

Gaming

ASP.NET

Persits ASPUpload

Wiki Help

Referring Pages:
...nobody

JSPWiki v2.8.1