Email Injection Problem

kona72 · Sep 14, 2005

Hi All,

Here is my problem. I have a pretty straight forward form I use that was developed to hide the mailto: email address. I have use a couple different modifications of it and I am starting to get hit with email injection attacks on one right now.
This first code is the one being hit.....

if(isset($Submit))

{

        if($name != "" && $email != "")

        {

                    $message = "Referral Program from Trafick IMS:<br><br>

                    Name: $name<br>

                    Email: $email<br>

                    Friends Name: $friend<br>

                    Friends Email: $friendmail";



                    $headers = "MIME-Version: 1.0\n"; 

                    $headers .= "Content-Type: text/html; charset=iso-8859-1\n"; 

                    $headers .= "X-MSMail-Priority: High\n"; 

                    $headers .= "From: <$email>\n"; 

                    $headers .= "Reply-To: <$email>\n"; 



                    mail("curtis@trafick.net,$email", "Referral Program Information", $message, $headers); 





                    header("Location: referralthanks.htm");

        }

        else

        {

                    $error = "y";

        }

}

This is the on the same site yet it is not being hit ...yet,

if(isset($Submit))

{

        if($name != "" && $email != "")

        {

                    $message = "Quote Request from Website:<br><br>

                    Name: $name<br>

                    Email: $email<br>

                    Location: $where<br>

                    Comment/Question: $needs<br>

                    Phone Number: $number";



                    $headers = "MIME-Version: 1.0\n"; 

                    $headers .= "Content-Type: text/html; charset=iso-8859-1\n"; 

                    $headers .= "From: <$email>\n"; 

                    $headers .= "Reply-To: <$email>\n"; 



                    mail("curtis@trafick.net,$email", "Quote Request from Website", $message, $headers); 





                    header("Location: thanks.htm");

        }

        else

        {

                    $error = "y";

Any Suggestions for a bit more security?????

Thanks in Advance!!!!

Roger_Ramjet · Sep 14, 2005

Have a look at this thread http://www.phpbuilder.com/board/showthread.php?t=10308438 seems to be relevent to your problem.

zoobie · Sep 16, 2005

The injected email header in forms is going to be a huge mess. For example, I first contacted my host about this and got an arrogent answer that my code was "all wrong". They then offered to fix it for a price. They don't have a clue about what I am talking about...and I sure as hell am not going to tell them after that. This is called "teaching by omission". :eek:

KingWylim · Sep 16, 2005

Here is a more recent discussion on I believe the same problem and I think this one may offer a few different options for you.

http://www.phpbuilder.com/board/showthread.php?t=10308480

Email Injection Problem

Kkona72

RRoger_Ramjet

Zzoobie

KKingWylim