[thelist] Email header injection

Phil Turmel philip at turmel.org
Sat Nov 12 09:52:28 CST 2005

Tim Burgan wrote:
> Going on from what you said (attached below), so to:
>   a. Prevent issue #1:
>        Use techniques discussed in this thread.
>   b. Prevent issue #2:
>        Sanitise all input ( for example in PHP,
>        use the htmlspecialschars() function )
> Is this correct?
> Phil Turmel wrote:
>>1) Prevent bots from filling in contact forms, so they don't bother the 
>>webmaster, and
>>2) Prevent bots from injecting headers, so they don't use your server to 
>>bother the rest of the web.


When it comes to security from spammers, defense in depth is required:

For #1, start with speed bumps.

Require session cookies, and a hidden unique ID in the form, for form 
submittal.  Set the unique ID on pages that link to the contact form, 
but not on the contact form page itself.  Timestamp the unique ID 
creation within your session data.  If the contact form is opened 
without a unique ID in the session, redirect back to the home page.  If 
the contact form is submitted before the unique ID is 10 seconds old, 
throw an error page w/ apology, and redirect back to the home page. 
Delete the unique ID in your session on successful submission.

For #2, sanitize the submitted form's from address and subject

First, run the submitted from address (and any other email addresses) 
through a validator function, like this PHP one:

function EmailOK( $addr ) {
	$pattern1 = '/(@.*@)|(\.\.)|(@\.)|(\.@)|(^\.)/';
	if ( preg_match( $pattern1, $addr ))
		return FALSE;
	$pattern2 = '/^[-\.a-z0-9_\+]+@([-a-z0-9_]+\.)+[a-z]{2,5}$/i';
	return preg_match( $pattern2, $addr );

Second, search for any form of newline in the submitted subject.  If you 
find one, fail.

If either of these sanitizers find a problem, return the form to the 
submitter for further editing.

I also run the submitted message body through PHP's wordwrap() function, 
but that's not a failure point.

If you're really paranoid, you could load the message body as XML, scan 
the tree to delete unacceptable tags, then convert it back to text.

Bottom line:
Speed bumps stop the trivial scripter.  Input sanitization stops the 
spammer.  Failure to deliver spam causes the serious scripter to leave 
you alone. (Cracking effort for no gain... not gonna happen.)



More information about the thelist mailing list