TalkPHP - View Single Post

jordie · 09-29-2007, 04:32 AM

Oh and seeing as this seems to be generic php security thread, I'd like to add: Attack Three: Mail injection

I found this other thread by William that talks about mail() in PHP. Its fairly good and gets to the point. There is a problem with security if you rely on data being input from a user.

For example, if you have an "email a friend" on a page, you mail code might look like:

PHP Code:


			
$strFriendsName  = $_POST['FriendsName'];
$strFriendsEmail = $_POST['FriendsEmail'];
$strSenderEmail  = $_POST['SenderEmail'];
$strSenderName   = $_POST['SenderName'];
$intPageID       = (int)$_POST['PageID'];

// lets assume a query is run here to get the page data, returning the page name as $strPageName

$to      = $strFriendsEmail;
$subject = "Your friend has recommended a page";
$body    = "Hi ".$strFriendsName . "\n Your friend has recommended this web page titled: ' " . $strPageName . "\n\n You can view it at this address:\n\n http://www.example.com/pages/".$intPageID;
$from    = $strSenderEmail;

mail($to, $subject, $body, "From: $from");

This can be exploited by inserting new lines into the post content and adding in new headers, e.g. Cc: or Bcc:. Spammers can take advantage of this and use your script to send their spam.

e.g. Instead of the SenderEmail just being an email, the could post in:
dummyEmail@example.com\nBcc: victim1@example.com, victim2@example.com etc.

The way to ensure this doesn't happen is to make sure there are no new lines, like this:

PHP Code:


			
function StripNewLines($str){
    return str_replace(array("\r", "\n"), "", $str);
}

$strFriendsName  = StripNewLines($_POST['FriendsName']);
$strFriendsEmail = StripNewLines($_POST['FriendsEmail']);
$strSenderEmail  = StripNewLines($_POST['SenderEmail']);
$strSenderName   = StripNewLines($_POST['SenderName']);
$intPageID       = (int)$_POST['PageID'];

// lets assume a query is run here to get the page data, returning the page name as $strPageName

$to      = $strFriendsEmail;
$subject = "Your friend has recommended a page";
$body    = "Hi ".$strFriendsName . "\n Your friend has recommended this web page titled: ' " . $strPageName . "\n\n You can view it at this address:\n\n http://www.example.com/pages/".$intPageID;
$from    = $strSenderEmail;

mail($to, $subject, $body, "From: $from");

It might also be advisable to create a ValidateEmailAddress() function so if the email isn't in the correct format it won't even be parsed to the mail() function.

If i missed anything here, feel free to add to it or comment. Constructive criticism is more than welcome, especially when we're dealing with security. :)

09-29-2007, 04:32 AM	#15 (permalink)
jordie The Wanderer Join Date: Sep 2007 Location: Sydney, Australia Posts: 19 Thanks: 0	Oh and seeing as this seems to be generic php security thread, I'd like to add: Attack Three: Mail injection I found this other thread by William that talks about mail() in PHP. Its fairly good and gets to the point. There is a problem with security if you rely on data being input from a user. For example, if you have an "email a friend" on a page, you mail code might look like: PHP Code: $strFriendsName = $_POST['FriendsName']; $strFriendsEmail = $_POST['FriendsEmail']; $strSenderEmail = $_POST['SenderEmail']; $strSenderName = $_POST['SenderName']; $intPageID = (int)$_POST['PageID']; // lets assume a query is run here to get the page data, returning the page name as $strPageName $to = $strFriendsEmail; $subject = "Your friend has recommended a page"; $body = "Hi ".$strFriendsName . "\n Your friend has recommended this web page titled: ' " . $strPageName . "\n\n You can view it at this address:\n\n http://www.example.com/pages/".$intPageID; $from = $strSenderEmail; mail($to, $subject, $body, "From: $from"); This can be exploited by inserting new lines into the post content and adding in new headers, e.g. Cc: or Bcc:. Spammers can take advantage of this and use your script to send their spam. e.g. Instead of the SenderEmail just being an email, the could post in: dummyEmail@example.com\nBcc: victim1@example.com, victim2@example.com etc. The way to ensure this doesn't happen is to make sure there are no new lines, like this: PHP Code: function StripNewLines($str){ return str_replace(array("\r", "\n"), "", $str); } $strFriendsName = StripNewLines($_POST['FriendsName']); $strFriendsEmail = StripNewLines($_POST['FriendsEmail']); $strSenderEmail = StripNewLines($_POST['SenderEmail']); $strSenderName = StripNewLines($_POST['SenderName']); $intPageID = (int)$_POST['PageID']; // lets assume a query is run here to get the page data, returning the page name as $strPageName $to = $strFriendsEmail; $subject = "Your friend has recommended a page"; $body = "Hi ".$strFriendsName . "\n Your friend has recommended this web page titled: ' " . $strPageName . "\n\n You can view it at this address:\n\n http://www.example.com/pages/".$intPageID; $from = $strSenderEmail; mail($to, $subject, $body, "From: $from"); It might also be advisable to create a ValidateEmailAddress() function so if the email isn't in the correct format it won't even be parsed to the mail() function. If i missed anything here, feel free to add to it or comment. Constructive criticism is more than welcome, especially when we're dealing with security. :)