[thelist] Email header injection

Kasimir K evolt at kasimir-k.fi
Fri Nov 11 12:45:22 CST 2005

Noah St. Amand scribeva in 2005-11-11 17:40:
> 1. setting a hidden variable in the form

The problem with this one is, that for the bots the hidden fields are 
not that hidden... Then again, as the bot is using the same value for 
all input fields (including submit) it would be easy to check if this is 
the case.

But no need for a hidden field, as submit's value can be also checked. 
In the form:
<input type="submit" name="send" value="send">
if ($_POST['send'] != 'send') { ...

The strange thing though is, that this is not working for me every 
time... most of the time yes, but not always. And it sure beats me how 
it possible that 'weeping9702 at kasimir-k.fi' == 'send'

Obviously something very stupid which I'll be ashamed of later :-)

> 2. setting a session cookie on the form page

Same problem as with Referer: legit users would be bit - some people 
don't like cookies.

> Anyway, I'm just interested in what other people with the same problem 
> think about these solutions.

I think the key is that these bots use a fake email address as input for 
all fields except the one where they put the headers. If there are 
fields that we definitely know should not contain anything like that 
(submit, hidden fields, checkboxes, radios, ..) it is easy to check.

Once the bots learn to be so cleaver that they don't touch those fields, 
  one could use regular text input with value like: "check field, don't 
touch", and maybe disable the field too, maybe put it outside the 
viewport with css.

This is intriguing problem, as it shows us that even something so 
ridiculously simple as a contact form must be made secure. So it's no 
more just e-commerce and the likes that must be done properly - any 
script we put up there for public access must be throughly solid.


More information about the thelist mailing list