[thelist] Email header injection

Nick Wilsdon n.wilsdon at e3internet.com
Fri Nov 11 07:10:33 CST 2005

> So if I clean anything going in the header, and do stripslashes() to the 
>message body, what on earth can put those extra headers in?

Hi Kasimir

We had similar problems here which only ceased after protecting both the
front end form and the sendmail.php page. We stripped out 'Content-Type' as
well as putting in a capcha on the worse hit ones. If they can turn the form
into HTML they have an opportunity to use HEX characters, which you aren't
stripping out there. 

This link was very helpful:


Best Regards,
Managing Director

More information about the thelist mailing list