Email injection question

Report · May 09, 2008

The only fields that would be a threat for email injection would be fields
that get included in the email header, right? Other fields, like a textarea
field in the form is not a problem if I'm understanding this threat
correctly....

--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================

Report · May 09, 2008

On 09 May 2008 in macromedia.dreamweaver.appdev, Murray *ACE* wrote:

> The only fields that would be a threat for email injection would be
> fields that get included in the email header, right? Other fields,
> like a textarea field in the form is not a problem if I'm
> understanding this threat correctly....

Well, no... I probably have some samples around somewhere, but I've seen
attempts to put headers into the body of an email - like extra TOs and
BCCs. If they're the first line(s) in a message posted from a form, the
mailer may well interpret them as headers. For What It's Worth, I
haven't seen it in a while. If it's really a concern, you might check
for header-ish stuff (certain 'dirty' words, the @ sign) in the first
line or two of the message.

--
Joe Makowiec
http://makowiec.net/
Email: http://makowiec.net/contact.php

Report · May 10, 2008

Are you sure about this, Joe? I didn't think that would happen. But I
haven't investigated it thoroughly....

--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================

"Joe Makowiec" <makowiec@invalid.invalid> wrote in message
news:Xns9A99BC04FE6B4makowiecatnycapdotrE@216.104.212.96...
> On 09 May 2008 in macromedia.dreamweaver.appdev, Murray *ACE* wrote:
>
>> The only fields that would be a threat for email injection would be
>> fields that get included in the email header, right? Other fields,
>> like a textarea field in the form is not a problem if I'm
>> understanding this threat correctly....
>
> Well, no... I probably have some samples around somewhere, but I've seen
> attempts to put headers into the body of an email - like extra TOs and
> BCCs. If they're the first line(s) in a message posted from a form, the
> mailer may well interpret them as headers. For What It's Worth, I
> haven't seen it in a while. If it's really a concern, you might check
> for header-ish stuff (certain 'dirty' words, the @ sign) in the first
> line or two of the message.
>
> --
> Joe Makowiec
> http://makowiec.net/
> Email: http://makowiec.net/contact.php

Report · May 10, 2008

In the course of reading, I found this -

http://www.shaunwagner.com/projects/php/as_mail.html

Anyone familiar with that one?

--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================

"Murray *ACE*" <forums@HAHAgreat-web-sights.com> wrote in message
news:g040lj$khh$1@forums.macromedia.com...
> Are you sure about this, Joe? I didn't think that would happen. But I
> haven't investigated it thoroughly....
>
> --
> Murray --- ICQ 71997575
> Adobe Community Expert
> (If you *MUST* email me, don't LAUGH when you do so!)
> ==================
> http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
> http://www.dwfaq.com - DW FAQs, Tutorials & Resources
> ==================
>
>
> "Joe Makowiec" <makowiec@invalid.invalid> wrote in message
> news:Xns9A99BC04FE6B4makowiecatnycapdotrE@216.104.212.96...
>> On 09 May 2008 in macromedia.dreamweaver.appdev, Murray *ACE* wrote:
>>
>>> The only fields that would be a threat for email injection would be
>>> fields that get included in the email header, right? Other fields,
>>> like a textarea field in the form is not a problem if I'm
>>> understanding this threat correctly....
>>
>> Well, no... I probably have some samples around somewhere, but I've seen
>> attempts to put headers into the body of an email - like extra TOs and
>> BCCs. If they're the first line(s) in a message posted from a form, the
>> mailer may well interpret them as headers. For What It's Worth, I
>> haven't seen it in a while. If it's really a concern, you might check
>> for header-ish stuff (certain 'dirty' words, the @ sign) in the first
>> line or two of the message.
>>
>> --
>> Joe Makowiec
>> http://makowiec.net/
>> Email: http://makowiec.net/contact.php
>

Report · May 10, 2008

Or zend_mail()?

--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================

"Murray *ACE*" <forums@HAHAgreat-web-sights.com> wrote in message
news:g042i6$mcr$1@forums.macromedia.com...
> In the course of reading, I found this -
>
> http://www.shaunwagner.com/projects/php/as_mail.html
>
> Anyone familiar with that one?
>
> --
> Murray --- ICQ 71997575
> Adobe Community Expert
> (If you *MUST* email me, don't LAUGH when you do so!)
> ==================
> http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
> http://www.dwfaq.com - DW FAQs, Tutorials & Resources
> ==================
>
>
> "Murray *ACE*" <forums@HAHAgreat-web-sights.com> wrote in message
> news:g040lj$khh$1@forums.macromedia.com...
>> Are you sure about this, Joe? I didn't think that would happen. But I
>> haven't investigated it thoroughly....
>>
>> --
>> Murray --- ICQ 71997575
>> Adobe Community Expert
>> (If you *MUST* email me, don't LAUGH when you do so!)
>> ==================
>> http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
>> http://www.dwfaq.com - DW FAQs, Tutorials & Resources
>> ==================
>>
>>
>> "Joe Makowiec" <makowiec@invalid.invalid> wrote in message
>> news:Xns9A99BC04FE6B4makowiecatnycapdotrE@216.104.212.96...
>>> On 09 May 2008 in macromedia.dreamweaver.appdev, Murray *ACE* wrote:
>>>
>>>> The only fields that would be a threat for email injection would be
>>>> fields that get included in the email header, right? Other fields,
>>>> like a textarea field in the form is not a problem if I'm
>>>> understanding this threat correctly....
>>>
>>> Well, no... I probably have some samples around somewhere, but I've
>>> seen
>>> attempts to put headers into the body of an email - like extra TOs and
>>> BCCs. If they're the first line(s) in a message posted from a form, the
>>> mailer may well interpret them as headers. For What It's Worth, I
>>> haven't seen it in a while. If it's really a concern, you might check
>>> for header-ish stuff (certain 'dirty' words, the @ sign) in the first
>>> line or two of the message.
>>>
>>> --
>>> Joe Makowiec
>>> http://makowiec.net/
>>> Email: http://makowiec.net/contact.php
>>
>

Report · May 10, 2008

On 10 May 2008 in macromedia.dreamweaver.appdev, Murray *ACE* wrote:

> Are you sure about this, Joe? I didn't think that would happen.
> But I haven't investigated it thoroughly....

Yup. Though like I said, I haven't seen it in a couple of years.
Most of the formspam I get (all rejected, but logged) is either of the
logspam variety, or the attempt to add spam links to a blog/guestbook
variety.

http://www.astalavista.com/index.php?section=docsys&cmd=details&id=30

http://www.anders.com/projects/sysadmin/formPostHijacking/
http://www.securephpwiki.com/index.php/Email_Injection
http://nyphp.org/phundamentals/email_header_injection.php
http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/

Etc... http://www.google.com/search?q=email+form+header+injection

Apparently the PHP mail() function has some safeguards built in, but
still can be got around. Look for 'injection' at

http://www.php.net/manual/en/function.mail.php

Also, see:

The mail() function converts control characters like linefeed or
carriage return in the Subject and To parameters into spaces as a
protection against email header injection. However an exception is
made for folded mail headers that continue on the next line.
Unfortunately the macro handling this folding is flawed and can be
tricked to allow email header injection.

http://www.php-security.org/MOPB/MOPB-34-2007.html

--
Joe Makowiec
http://makowiec.net/
Email: http://makowiec.net/contact.php

Report · May 10, 2008

On 10 May 2008 in macromedia.dreamweaver.appdev, Murray *ACE* wrote:

> In the course of reading, I found this -
>
> http://www.shaunwagner.com/projects/php/as_mail.html
>
> Anyone familiar with that one?

First I'd heard of it, but it looks OK, other than the fact that it uses
eregi where it should probably use preg_match.

http://www.php.net/preg_match

--
Joe Makowiec
http://makowiec.net/
Email: http://makowiec.net/contact.php

Report · May 12, 2008

How about Zend-mail? Any familiarity?

--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================

"Joe Makowiec" <makowiec@invalid.invalid> wrote in message
news:Xns9A9A8CBA13EA1makowiecatnycapdotrE@216.104.212.96...
> On 10 May 2008 in macromedia.dreamweaver.appdev, Murray *ACE* wrote:
>
>> In the course of reading, I found this -
>>
>> http://www.shaunwagner.com/projects/php/as_mail.html
>>
>> Anyone familiar with that one?
>
> First I'd heard of it, but it looks OK, other than the fact that it uses
> eregi where it should probably use preg_match.
>
> http://www.php.net/preg_match
>
> --
> Joe Makowiec
> http://makowiec.net/
> Email: http://makowiec.net/contact.php

Report · May 12, 2008

Hi,
I have come across Zendmail in poorly written php and some cgi scripts. Its tough, never heard of any problems with that.