Contact Form / mail() HEADER INJECTION Vulnerability - Is my code vulnerable?

Atomiku

Hello again phpbuilders, for a number of my client's websites I have always coded a basic contact form, generally using the same code. I am wondering if my contact form would be vulnerable to header injections? In other words, hijacking the email headers to perhaps use the contact form to send emails out to other emails, maybe using it to send email spam. Below is the code I have used for, maybe over 10 websites (!!!).

EXAMPLE ONE, When I am not using my own headers:

<?php
	if ($_POST['xxaction'] == "submit") {
		$message = 
"Name: {$_POST['xxname']}
Email: {$_POST['xxemail']}
Enquiry:
{$_POST['xxenquiry']}";
		mail('info@xxx.co.uk', 'Contact Form', $message);
		$contact = true;
	}
?>

EXAMPLE TWO, When I allow my own headers:

if (isset($_POST['Submit'])) {
	$headers = 'From: Motorvogue' . "\r\n" .  	
	$youremail = 'atomiku@gmail.com';
	$fromsubject = 'Driver Training';
	$to = $youremail; 
	$mailsubject = 'Message recieved from'.$fromsubject.' Contact Page';
	$body = $fromsubject."\n"."Information would be here.";
	mail($to, $fromsubject, $body, $headers);

I am unable to test my code for the vulnerability right now, so I will need someone to confirm if my code is in fact vulnerable. I believe the solution is to block \r\n from all inputted data?

Many Thanks.
Matt.

sneakyimp

Screening \r\n from user input would greatly reduce your risk, but may also impair legitimate functions of your script. I don't recall specifically, but I believe that a blank line before your message begins might signal to mail servers the end of any headers. You might consider using PHPMailer or PEAR::Mail because these contain methods to assign recipients and are likely to have functionality to protect against unintentional or malicious headers in your message.