[thelist] Email header injection

Kasimir K evolt at kasimir-k.fi
Sat Nov 12 05:09:01 CST 2005

Phil Turmel scribeva in 2005-11-12 00:57:
> You have to realize there are two separate objectives here, one more 
> important than the other:
> 1) Prevent bots from filling in contact forms, so they don't bother the 
> webmaster, and
> 2) Prevent bots from injecting headers, so they don't use your server to 
> bother the rest of the web.

Yes, important point, well put, and I fully agree.

To be really safe, simply don't put any user input in the mail header. 
For all my client work I do contact forms this way - as I might not be 
monitoring them constantly, I want to be really sure that they are safe 
now and tomorrow.

On my personal site I (for now) put stuff (carefully sanitized) in the 
header. There's the little convenience of being able to just hit reply - 
but more importantly, I'm reluctant to change functionality of my site 
because of some damn script kiddie... I rather spend an hour or two 
securing it.

All the tricks of using hidden fields etc. naturally don't provide any 
real protection - only convenience. Any real protection indeed comes 
only from accepting user input of expected type, and carefully 
sanitizing that (and not using it in mail headers).

Kasimir K scribeva in 2005-11-11 18:45:
 > The strange thing though is, that this is not working for me every
 > time...
 > Obviously something very stupid which I'll be ashamed of later :-)

I had a forgotten script on my site... I am very, very ashamed :-)

To be sure that your PHP site hasn't any forgotten mailing scripts, do a 
site wide search for "mail(", and make sure it only appears where it should.


More information about the thelist mailing list