This problem also occurs with calls to header(), which can result in HTTP
header injection. There was an osCommerce vulnerability recently that was
caused by this.
Harry Metcalfe
> -----Original Message-----
> From: Irene Abezgauz [mailto:irene.abezgauz (at) gmail (dot) com [email concealed]]
> Sent: 09 August 2005 14:11
> To: Harry Metcalfe
> Cc: webappsec (at) securityfocus (dot) com [email concealed]
> Subject: Re: Email header injection in PHP
>
> Just wanted to add - it doesn't have to be just the mail() function
> abuse, SMTP header injection weaknesses occur in web applications, not
> necessarily the traditional way. It can exist (and indeed does) in a
> variety of homegrown applications that implement mailing mechanisms.
> Also something that needs to be noted, and watched for.
>
> Just my 2c,
>
> Irene
>
>
> On 8/9/05, Harry Metcalfe <harry (at) slaptop (dot) com [email concealed]> wrote:
> > This is not a new problem, but I recently ran afoul of it and I thought
> > someone out there might appreciate a heads-up.
> >
> > It's pretty easy for malicious users in inject headers into contact
> forms.
> > This is often used to send spam by injecting a BCC header with a long
> list
> > of email addresses. It's quite similar to the recently discovered header
> > injection flaw in oscommerce: the solution is to check for, and remove,
> any
> > line return(s) which may be present in data passed to mail() -- other
> than
> > in the message parameter, obviously.
> >
> > This can have an added annoyance: some ISPs - AOL, most notably - will
> > reject _all_ incoming mail (forever) from servers from which they have
> > previously received spam. A vulnerable form on your server can thus lead
> to
> > more problems than a little spam.
> >
> > More information here:
> > http://musingsofharry.blogspot.com/2005/08/email-header-injection-in-
> php.htm
> > l
> >
> > HTH,
> >
> > Harry Metcalfe
> >
> >
This problem also occurs with calls to header(), which can result in HTTP
header injection. There was an osCommerce vulnerability recently that was
caused by this.
Harry Metcalfe
> -----Original Message-----
> From: Irene Abezgauz [mailto:irene.abezgauz (at) gmail (dot) com [email concealed]]
> Sent: 09 August 2005 14:11
> To: Harry Metcalfe
> Cc: webappsec (at) securityfocus (dot) com [email concealed]
> Subject: Re: Email header injection in PHP
>
> Just wanted to add - it doesn't have to be just the mail() function
> abuse, SMTP header injection weaknesses occur in web applications, not
> necessarily the traditional way. It can exist (and indeed does) in a
> variety of homegrown applications that implement mailing mechanisms.
> Also something that needs to be noted, and watched for.
>
> Just my 2c,
>
> Irene
>
>
> On 8/9/05, Harry Metcalfe <harry (at) slaptop (dot) com [email concealed]> wrote:
> > This is not a new problem, but I recently ran afoul of it and I thought
> > someone out there might appreciate a heads-up.
> >
> > It's pretty easy for malicious users in inject headers into contact
> forms.
> > This is often used to send spam by injecting a BCC header with a long
> list
> > of email addresses. It's quite similar to the recently discovered header
> > injection flaw in oscommerce: the solution is to check for, and remove,
> any
> > line return(s) which may be present in data passed to mail() -- other
> than
> > in the message parameter, obviously.
> >
> > This can have an added annoyance: some ISPs - AOL, most notably - will
> > reject _all_ incoming mail (forever) from servers from which they have
> > previously received spam. A vulnerable form on your server can thus lead
> to
> > more problems than a little spam.
> >
> > More information here:
> > http://musingsofharry.blogspot.com/2005/08/email-header-injection-in-
> php.htm
> > l
> >
> > HTH,
> >
> > Harry Metcalfe
> >
> >
[ reply ]