[thelist] Email header injection

Kasimir K evolt at kasimir-k.fi
Fri Nov 11 03:42:18 CST 2005


on my personal site I've got a contact form, which is using PHP's mail() 
function. I do clean senders name and email address, as I want to have 
them in the header:
$name = preg_replace('/\n|\r/m', '', stripslashes($_POST['name']));

I thought this would keep me safe from header injections. But oddly it 
doesn't seem to be enough :-(

Here's the tail of headers from one mail:

To: mail at kasimir-k.fi
Subject: message from kasimir-k.fi
From: "witzerland6193 at kasimir-k.fi" <opens at eternal.nebula.fi>
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: it could be called, on which the wheels
Status: O
X-UID: 23573
Content-Length: 133

Two first lines are as they should be. The third line is constructed 
from (cleaned) user input. Lines 4-7 should not be there - how did they 
get there? The last four lines I presume are added by the MTA or MDA.

So if I clean anything going in the header, and do stripslashes() to the 
message body, what on earth can put those extra headers in?


More information about the thelist mailing list