PHP zce exam study guide says
Your PHP application sends an email with data provided by the user, using PHP's mail() function. How can an attacker inject a custom BCC header to that email?
A: Adding "\rBcc: email#example.com" to the subject
B: Adding "\nBcc: email#example.com" to the mail body
C: Adding "\r\nBcc: email#example.com" to the sender's address
D: None of the above
Correct answer: D: None of the above
Can anyone explain why "C" is not correct answer?
The correct answer is actually D because "\r\n" characters are not interpreted when provided from user input.
Some examples to illustrate: Giving the following code:
$headers = "From: from#example.com{$_GET['q']}";
$result = mail('test#example.com', 'subject', 'message', $headers);
Providing via get parameter: http://example.com?q="\r\nBcc:%20test2#example.com" will not work. But this will work: http://example.com?q=%0D%0ABcc:%20test2#example.com
Related
I am sending an e-mail from my php code when certain events occur (i.e., someone posts a reply to a message on my message board). I used this simple code:
mail (me#aol.com, 'Someone Just Posted a Reply.', 'Check the message board, because someone just posted a reply.');
The code executes and I do receive an e-mail. The problem is that when I get the e-mail, the "from" line in the e-mail gives away my cpanel login for my GoDaddy hosting account. I cannot seem to find anything on GoDaddy's site that explains how to disguise this or change this to just reflect the name of my website rather than give away my login to all users every time I send a push notification.
You have to use the headers in the PHP's mail() function's additional_headers parameters to add more stuff, but this may possibly cause deliverability issues.
This is typically used to add extra headers (From, Cc, and Bcc). Multiple extra headers should be separated with a CRLF (\r\n). If outside data are used to compose this header, the data should be sanitized so that no unwanted headers could be injected.
With above being said, your updated code should look something like:
<?php
$headers = array(
'From' => 'webmaster#example.com', // Add your from address.
'Reply-To' => 'webmaster#example.com', // Add your reply to address.
'X-Mailer' => 'PHP/' . phpversion() // Optional stuff.
);
mail(
"me#aol.com",
"Someone Just Posted a Reply.",
"Check the message board, because someone just posted a reply.",
$headers // This way
);
Note: Make sure the above code is written in a single line. 😇
Ok so I set up a php mailer on 2 separate pages on a site I am working on. I had previously worked through everything in the mailer on a site I built and it was straight forward how to set the email after setting all the variables:
mail("$email",
"Receipt: $thesubject",
"$message",
"From: $replyemail\nReply-To: $replyemail");
So this was what was at the end of the contact (processing) page. I have $email and $replyemail being put into the $message and they come out correctly in the message that gets sent to my email specified by $email.
The part I don't really understand is the address the message says it is coming from is not that $replyemail but instead it says it is being sent from:
rtl.srv#gmail.com
I saw a few posts that were similar but none of them fixed the issue, I followed this and checked to make sure the servers php.ini files had SAFE_MODE = off. Then added
'-f $replyemail'
to the end of the mail function above like that link advised but it didn't change anything... I saw somewhere else that it explained you may have to add the email address to the file /etc/mail/trusted-users but the issue is that email is dynamic. Since that email name is whatever the user input as their email. Then the email is sent to the site admin to review, and I want the email to say it is from the users email that filled out the form.
I know the variables are set correctly because they are being printed out correctly inside the message of the email. So if anyone has any idea why this is happening or how I could go about fixing it I would appreciate any insight.
The project is built in wordpress but I just dropped the files onto the server through SSH, not sure if that has anything to do with it.
Thanks,
-Alan
There are a number of issues that can cause this, and I encountered this issue a while ago when I built my site. I solved it by first creating a function to handle the mailout for me:
function mailouthtml($to, $title, $body, $from){
if(!isset($from)){
$from = 'Default Sender<address#example.com>';
}
$header .= "Reply-To: $from\r\n";
$header .= "Return-Path: $from\r\n";
$header .= "From: $from\r\n";
$header .= "Organization: Example.com, Inc.\r\n";
$header .= "Content-Type: text/html\r\n";
mail($to,$title,$body,$header,"-f $from");
}
Let me break this down a bit. The function calls for a To address, the email title, the email body, and the From address. The From address is used to add information to the email header. The header information of your email is what tells your mail server what to do with your email, and it needs a bit of info in order to handle the message properly.
The mail() function in PHP is formatted as follows:
mail($to,$title,$body,$headers,$additional_parameters);
The mailouthtml() function I've created here constructs the header manually, and adds the additional parameter "-f $from" to set the "From" field explicitly. The $from variable is optional in the function call; if it isn't present, it sets a default. You can find more information on the mail function Here.
Note the following:
Most MTA's require a Reply-To, Return-Path and From field, or it may be flagged as spam.
Content-Type is required tell what type of content the mail server is delivering, typically text/html or text/plain.
I have an if(){} statement that sets a default address if none is specified. You can omit 'Default Sender' if you would rather not specify a name. You can also change that to whatever you'd like.
Organization is optional.
I would also recommend you have SPF enabled on your domain name, and DKIM signing on your messages. These are both implemented via DNS entries for your domain name. If you don't have access to that, no big deal; they're meant to control spam.
Also, if you have a dedicated server and your own IP address, make sure you have a Reverse DNS record set up. This will also help foreign MTA's identify your message as authentic.
don't make this to yourself. Use some mature library like phpmailer or swiftmailer, they will help you to avoid these kind of troubles...I know there are more includes, etc, but there is not point to give fight to this. If you still want to do this, try setting the header Returh-path
I have a code in PHP that sends emails to users and its working as expected. I need help in figuring out as how to send email to a group defined in lotus notes. So basically there is a group existing with some name as DEV TEAM and if I type this directly, PHP throws 501 Syntax error, parameters in command..... So, is there a way to figure out as how to retrieve the email address format for this group or any other way to send emails.
I know with all you gurus here, I will get some solution definitely:).
Thanks for any help in advance.
Please let me know if I can provide any other details.
Code through which I am able to send emails to users but not to a group in lotus notes.
<?php
$to = "testuserto#domain.com";
$subject = "TEST EMAIL";
$message = "Hello! Its is test email.";
$from = "testuser#domain.com";
$headers = "From:" . $from . "\r\n";;
$headers .= "Content-Type: text/html";
mail($to,$subject,$message,$headers);
?>
See my comment on your question. If my assumptions are correct, then the administrator of your Domino server must check the following:
DEV TEAM is a valid group in the Domino Directory, with type "Mail Only" or "Multi-Purpose".
There is no readers field on the DEV TEAM group that would restrict anonymous users from sending to it.
There are no mail rules or restrictions in the server's config document that prevent messages from being sent to the group.
The Internet Address field in the DEV TEAM group document in the Domino Directory has been configured. This should be a valid RFC-821 address, such as DEV_TEAM#yourDomain.com (This is probably optional, but it makes it easier to document the solution.)
Once you have confirmed the above configuration information, your code should use the value that was configured in Internet Address field of the DEV TEAM group in the Domino Directory. (I.e., DEV_TEAM#yourDomain.com)
My guess is that is has got very little to do with the fact that it's a Domino server. I assume the address(es) in $from or $to are malformed. See also http://www-01.ibm.com/support/docview.wss?uid=swg21105288, concerning strict RFC821 format, where '<' and '>' are required.
In any case, mail to "dev team#domain.com" won't work, the address is invalid.
first of all this question is for personal knowledge, and not for any kind of attack :) hope you'll believe me and give me some hints.
I'm trying to reproduce an example of mail header injection I found (link-> http://www.phpsecure.info/v2/article/MailHeadersInject.en.php). Basically it uses a form to get 3 parameters (subject, message and sender mail), then these parameters are sent with POST method and used in the php mail() function to an admin's mail.
Everything works fine, each mail is sent without problem but when I try to inject some other parameters as Cc, Bcc etc the trick doesn't work: neither \r & \n nor %0A & %0D are interpreted as CL and RF. For example, if I put my#mail.com%0ACc:foo#bar.com in the "From" field, in "my#mail.com" inbox I'll find the mail, with the same "From" field as it was sent (my#mail.com%0ACc:foo#bar.com). Does php or does input tag encode (or unencode) properly the input? How can I make it work?
Hope you can understand my bad english, thanks in advance, best regards.
ps: the article I linked is dated 2005, recently I've found that a similar bug with http headers splitting using php function "header()" was fixed, so I thought that they fixed email headers injection problem too.. But I can't find anything on the web that confirms this.
______________________EDIT________________________________________
Example working, modifying header within php code:
$to = "admin#mail.com";
$sub = "this is the subject";
$msg = "this is the message";
$header = "From: foo#foo.com"."\r\n"."Cc: bar#bar.com";
$if(mail($to, $sub, $msg, $header."\n")){
echo "sent";
}else{
echo "error";
}
The email is correctly received both from foo#foo.com and bar#bar.com
Examples NOT working (this is the problem I'd like to solve with your help):
Once I send the mail with "send" button, only foo#foo.com will get the e-mail, and in the "from" detail (inside the mail) I'll find (1st case) foo#foo.comrnCc: bar#bar.com or (2nd case)foo#foo.com%0D%0ACc: bar#bar.com.
I always find i need to use both \r\n in order for the headers to be sent properly.
I have created an php mail script, And in the message of the mail i sent i am using many variables (data). For example i want to sent an mail with this body msg:
Name: Somename
Email: someemail#somwhere.com
City: Somecity
State: somestate
.........
What i am doing is this:
$msg = "Name: $name (brake) Email: $email (brake)......"
this message is not working in major emails like gmail, hotmail, yahoo...
I get the mail with html tags and i dont want that.
There must be some other way to do this so my mail structure looks good on every email account ?
Make sure in the header declarations you are declaring it as an HTML e-mail.
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n"
http://php.net/manual/en/function.mail.php should help out as well. Follow the example code in there and it's guaranteed to work.
I would recommend the PHP email packages available through PEAR:
PEAR Mail - for interfacing with the server/smtp mailer and performing the action of sending
PEAR Mail_Mime - Which handles the formatting for sending of plaintext or HTML email.
Check out the documentation for usage.
Well there is the possibility that you aren't setting the header to indicate that the type is HTML. But why would you want to roll your own mail sender. There is a great email sender for php: http://sourceforge.net/projects/phpmailer/ and it is free.