[thelist] Email header injection
Kasimir K
evolt at kasimir-k.fi
Fri Nov 11 03:42:18 CST 2005
Hello,
on my personal site I've got a contact form, which is using PHP's mail()
function. I do clean senders name and email address, as I want to have
them in the header:
$name = preg_replace('/\n|\r/m', '', stripslashes($_POST['name']));
I thought this would keep me safe from header injections. But oddly it
doesn't seem to be enough :-(
Here's the tail of headers from one mail:
To: mail at kasimir-k.fi
Subject: message from kasimir-k.fi
From: "witzerland6193 at kasimir-k.fi" <opens at eternal.nebula.fi>
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: it could be called, on which the wheels
Status: O
X-UID: 23573
Content-Length: 133
X-Keywords:
Two first lines are as they should be. The third line is constructed
from (cleaned) user input. Lines 4-7 should not be there - how did they
get there? The last four lines I presume are added by the MTA or MDA.
So if I clean anything going in the header, and do stripslashes() to the
message body, what on earth can put those extra headers in?
thanks,
.k
More information about the thelist
mailing list