[thelist] Email header injection

Kasimir K evolt at kasimir-k.fi
Fri Nov 11 08:26:09 CST 2005

Nick Wilsdon scribeva in 2005-11-11 13:10:
> If they can turn the form
> into HTML they have an opportunity to use HEX characters, which you aren't
> stripping out there. 

But aren't both \n and %0A just different ways of presenting 00001010?

And injections seems to have been succesfull only a couple times (probes 
only fortunately). Another curious thing is, that as this exploit script 
seems to be using as form input the domain name in questions, I've put a 
test to catch those, and send myself a message with request headers and 
body. But a couple times this seems to have failed too.

Here's a sample of request bodies:
[message] => over3449 at kasimir-k.fi
[email] => at
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: ow, suppose illigan s father whin he
bcc: onemoreaddress at hotpop.com


[send] => over3449 at kasimir-k.fi
[name] => over3449 at kasimir-k.fi

The script is normally executed as many times as there are fields in the 
form. It tries the header input for each field in turn, and rest it 
populates with the fake address.

So now I added a check for 'send' field - it is the submit button, so 
it's value should never be anything else than what it is set to. So if 
the value of 'send' is not 'send', then it is an exploit attempt. Let's 
see if this is enough.


More information about the thelist mailing list