Mail Injection reject how to?

duppie

Hi I have a problem on one of my websites I manage
It gets mail injected.

The problem is I have hardcoded a $to in the script ($to is comming from a D😎
and the Headers is hardcoded and the message is comming from a field with name and email.

How can I block mail injectors? and block them permanently?

Greets,

Aron

MarkR

Check all the stuff which goes in the headers for \n or \r. In fact check all the fields which are relevant.

Write a common mail function wrapper across your entire app which does various useful things (for example, have a switch to send messages to a test address on your dev server, and/or put a DEV: prefix on the subject).

This wrapper can then reject any request which contains newlines in any of the parameters (unless they are going into the body).

It should really throw a hard error which invokes your standard error handler, logging as necessary.

Mark

duppie

I was thinking. Is a counter maybe in handy?
U can send 3 messages per 30Min. after that Block.
because I only allow name Mail and Multiline Body the rest i make my self in the code. So a /r/n will not work i think. Maybe if i check for HTML (the precense of < or > in the mail)

blackhorse

http://www.securephpwiki.com/index.php/Email_Injection?seenIEPage=1

Do you use the email as the "from"? that might be the point of the injection.

xblue

I have been thinking about this recently, too.

I decided to
- completely avoid using user-generated in any of the mail functions arguments that go into the mail header, i.e. 1st, 2nd and 4th
- if necessary carefully validating user-generated content used in the header, rather by restricting allowed characters then by allowing everything but certain characters, as you can always miss something.

I would probably validate email addresses with regex. For content that is supposed to be used in the subject line, the easiest way seems to have certain subjects for the user to choose from, and set it to "other" or something if the submitted data does not match any of these (maybe putting the original into the body to see what it looked like).

I just felt I'd share these thought, as I would definitely like to know if I missed something.