Email Injection
Posted by Jim at October 5th, 2005
Here’s something that those of you who do any kind of web development might want to know about:
Email Injection
OK. Some of you, perhaps everyone but me, know about this already. Email injection is a way of putting header information into a form for email that will allow someone to:
Add headers
Replace “To” and “From” information
Add attachments
Send spam to other people via your online email form and from your smtp server
This, for obvious reasons, sucks.
I know that you can do this via a php based form, but hijacking forms written in other languages seem possible too. If you’re interested in more of the technical information, feel free to check here. There’s also some more information in the onlline php manual.
I don’t pass this along for idle entertainment. Someone appears to be attempting to do exactly this with a form that I created. Amusingly, it doesn’t seem to be working. Apparently my php coding style is idiosyncratic enough that the usual ways of doing things don’t quite work. On the other hand, they are obviously trying… So, I’m rewriting the code to make things as close to impossible as I can.
Wow. That’s pretty scary. After reading that article, I checked my code, and even tried to put some injections in. Fortunately, when coding the page (three years ago?) I’d put in some javascript that runs the email field through some regex’s and rejects anything outright. But, I’ve put the regex’s into the php code anyway, just in case some jerk finds a way around the javascript.
Thanks for sharing that, Jim.
jonathan
It’s worth putting the php regex in, I think. Any spammer who knows what he’s doing will probably create a script to submit to your form rather than doing it by hand–thus avoiding the javascript altogether.
Jim Zoetewey