NYCPHP Meetup

NYPHP.org

[nycphp-talk] Phundamentals Title Change: Email Header Injection

Dan Cech dcech at phpwerx.net
Mon Sep 19 08:24:27 EDT 2005


Jeff & list,

I believe I managed to avoid weighing into the various debates raging 
back and forth in the thread.

The idea of checking for particular email addresses in the mail logs 
does seem pretty naive, especially as they are such a throwaway item 
these days.

Personally I'm of the opinion that these kinds of forms should require 
inputs that are supposed to be email addresses to look like email 
addresses.  Not only will that remove the possibility of this exploit, 
it will also cut down (ever so slightly) on malformed addresses being 
sent through to the mail subsystem.  Good user feedback for 'invalid' 
addresses should allow anyone using the form to 'correct' them, so I see 
little point in blindly accepting something that isn't obviously an 
email address.

The other common vulnerable field seems to be the Subject, though I see 
very little reason not to restrict that (or any other non-address) field 
to something like /^([-a-z0-9!@#$%^&*()_\[\]{}\\|;:'",.<>\/?+= ]+)$/i, 
especially considering the fact that non-ascii characters are usually 
frowned upon in email headers.

Also, correct me if I'm wrong but I believe the %0A encoding is purely 
used in the request string, once it gets into PHP it will just see 
either \n or \r, the literal string %0A does not pose any risk to emails 
as a string itself.

Dan

Jeff Siegel wrote:
> Point well taken and I believe it was Dan C. who noted the need to not rely
> on that list of "known" email addresses.
>  
> Jeff



More information about the talk mailing list