first of all this question is for personal knowledge, and not for any kind of attack :) hope you'll believe me and give me some hints.
I'm trying to reproduce an example of mail header injection I found (link-> http://www.phpsecure.info/v2/article/MailHeadersInject.en.php). Basically it uses a form to get 3 parameters (subject, message and sender mail), then these parameters are sent with POST method and used in the php mail() function to an admin's mail.
Everything works fine, each mail is sent without problem but when I try to inject some other parameters as Cc, Bcc etc the trick doesn't work: neither \r & \n nor %0A & %0D are interpreted as CL and RF. For example, if I put my#mail.com%0ACc:foo#bar.com in the "From" field, in "my#mail.com" inbox I'll find the mail, with the same "From" field as it was sent (my#mail.com%0ACc:foo#bar.com). Does php or does input tag encode (or unencode) properly the input? How can I make it work?
Hope you can understand my bad english, thanks in advance, best regards.
ps: the article I linked is dated 2005, recently I've found that a similar bug with http headers splitting using php function "header()" was fixed, so I thought that they fixed email headers injection problem too.. But I can't find anything on the web that confirms this.
______________________EDIT________________________________________
Example working, modifying header within php code:
$to = "admin#mail.com";
$sub = "this is the subject";
$msg = "this is the message";
$header = "From: foo#foo.com"."\r\n"."Cc: bar#bar.com";
$if(mail($to, $sub, $msg, $header."\n")){
echo "sent";
}else{
echo "error";
}
The email is correctly received both from foo#foo.com and bar#bar.com
Examples NOT working (this is the problem I'd like to solve with your help):
Once I send the mail with "send" button, only foo#foo.com will get the e-mail, and in the "from" detail (inside the mail) I'll find (1st case) foo#foo.comrnCc: bar#bar.com or (2nd case)foo#foo.com%0D%0ACc: bar#bar.com.
I always find i need to use both \r\n in order for the headers to be sent properly.
Related
I am sending an e-mail from my php code when certain events occur (i.e., someone posts a reply to a message on my message board). I used this simple code:
mail (me#aol.com, 'Someone Just Posted a Reply.', 'Check the message board, because someone just posted a reply.');
The code executes and I do receive an e-mail. The problem is that when I get the e-mail, the "from" line in the e-mail gives away my cpanel login for my GoDaddy hosting account. I cannot seem to find anything on GoDaddy's site that explains how to disguise this or change this to just reflect the name of my website rather than give away my login to all users every time I send a push notification.
You have to use the headers in the PHP's mail() function's additional_headers parameters to add more stuff, but this may possibly cause deliverability issues.
This is typically used to add extra headers (From, Cc, and Bcc). Multiple extra headers should be separated with a CRLF (\r\n). If outside data are used to compose this header, the data should be sanitized so that no unwanted headers could be injected.
With above being said, your updated code should look something like:
<?php
$headers = array(
'From' => 'webmaster#example.com', // Add your from address.
'Reply-To' => 'webmaster#example.com', // Add your reply to address.
'X-Mailer' => 'PHP/' . phpversion() // Optional stuff.
);
mail(
"me#aol.com",
"Someone Just Posted a Reply.",
"Check the message board, because someone just posted a reply.",
$headers // This way
);
Note: Make sure the above code is written in a single line. 😇
PHP zce exam study guide says
Your PHP application sends an email with data provided by the user, using PHP's mail() function. How can an attacker inject a custom BCC header to that email?
A: Adding "\rBcc: email#example.com" to the subject
B: Adding "\nBcc: email#example.com" to the mail body
C: Adding "\r\nBcc: email#example.com" to the sender's address
D: None of the above
Correct answer: D: None of the above
Can anyone explain why "C" is not correct answer?
The correct answer is actually D because "\r\n" characters are not interpreted when provided from user input.
Some examples to illustrate: Giving the following code:
$headers = "From: from#example.com{$_GET['q']}";
$result = mail('test#example.com', 'subject', 'message', $headers);
Providing via get parameter: http://example.com?q="\r\nBcc:%20test2#example.com" will not work. But this will work: http://example.com?q=%0D%0ABcc:%20test2#example.com
Could you advise me how do I go about preventing email injection in PHP mail() without losing original message data? E.g. if I need to allow user to use \r\n, To, CC etc, so I do not want to completely strip them away from the message - I still want them delivered, but without adding any additional headers or somehow allowing mail injection to happen.
Most of the advices on internet suggest stripping that data away completely - but I do not want to do that.
I am sending plain text (non HTML) messages through PHP mail() function.
What would you advise?
To filter valid emails for use in the recipient email field, take a look at filter_var():
$email = filter_var($_POST['recipient_email'], FILTER_VALIDATE_EMAIL);
if ($email === FALSE) {
echo 'Invalid email';
exit(1);
}
This will make sure your users only supply singular, valid emails, which you can then pass to the mail() function. As far as I know, there's no way to inject headers through the message body using the PHP mail() function, so that data shouldn't need any special processing.
Update:
According to the documentation for mail(), when it's talking directly to an SMTP server, you will need to prevent full stops in the message body:
$body = str_replace("\n.", "\n..", $body);
Update #2:
Apparently, it's also possible to inject via the subject, as well, but since there is no FILTER_VALIDATE_EMAIL_SUBJECT, you'll need to do the filtering yourself:
$subject = str_ireplace(array("\r", "\n", '%0A', '%0D'), '', $_POST['subject']);
Suppose you you want to put the email address of the visitor in the optional header field like so:
$headers = "From: $visitorEmailAddress";
However, if
$visitorEmailAddress
contains
"address#email.com\n\nBCC:spam#v1agra.com"
you've made yourself a spam host, opening the door for mail injection.
This is a very simple example, but creative spammers and malicious hackers can sneak potentially damaging scripts in your email, since email is sent as a plaintext file. Even attachments are converted plaintext, and they can easily send attachements by adding a mimetype content line.
If your form validation for the FROM and/or TO fields is OK, you have to look at the form validation for the body of the email. I'd strip out the '-=' and '=-' characters, and prevent users from typing plain HTML by using strip_tags().
Try this for a review of various options:
http://www.codeproject.com/Articles/428076/PHP-Mail-Injection-Protection-and-E-Mail-Validatio
It covers several options and tries to explain the benefits and risks of each.
Use a designated mime email library, like Mail_Mime:
<?php
include 'Mail.php';
include 'Mail/mime.php' ;
$mime = new Mail_mime();
$mime->setTXTBody("Message goes here");
$hdrs = $mime->headers(array(
'From' => 'you#yourdomain.com',
'Subject' => 'Test mime message'
));
$body = $mime->get();
$mail = &Mail::factory('mail');
$mail->send('postmaster#localhost', $hdrs, $body);
?>
I have a website, and in the "Contact" section I have a form which users may fill in to contact me.
The form is a simple form which action is a php page.
The php code:
$to = "email#domain.com";
$name=$_POST['name']; // sender name
$email=$_POST['email']; // sender email
$tel= $_POST['tel']; // sender tel
$subject=$_POST['subject']; // subject CHOSEN FROM DROPLIST, ALL TESTED
$text=$_POST['text']; // Message from sender
$text.="\n\nTel:".$tel; // Added to message to show me the telephone nr to the sender at bottom of message
$headers="MIME-Version: 1.0"."\n";
$headers.="Content-type: text/plain; charset=UTF-8"."\n";
$headers.="From: $name <$email>"."\n";
mail($to, '=?UTF-8?B?'.base64_encode($subject).'?=', $text, $headers, '-fno-reply#domain.com');
Could somebody please tell me why this works most of the time, but sometimes I receive email whith no text and the subject line showing
=?UTF-8?B??=
I use outlook express, and I have read this System.Net.Mail and =?utf-8?B?XXXXX.... Headers
but it didn't help.
The problem is not in Outlook, because when I log in to the actual mailprogram where I fetch the POP3 emails from, the email looks the same.
When I right click in Outlook and chose "message source" then there is no "From" information.
Ex, a good message should look like this:
Subject: =?UTF-8?B?w5Z2cmlndA==?=
MIME-Version: 1.0
Content-type: text/plain; charset=UTF-8
From: John Doe
However, the ones with problem looks like this:
Subject: =?UTF-8?B??=
MIME-Version: 1.0
Content-type: text/plain; charset=UTF-8
From:
As if the information has been lost somewhere.
You should know also that I have a VPS, which I manage myself.
I use postfix as an emailserver, if thats got anything to do with it.
But then again, why does it work sometimes?
Also another thing that I have noticed is that sometimes special characters are not shown correctly (by both Outlook and the webmail).
For instance, the name "Björkman" in swedish is shown like Björkman, but again, only sometimes.
I hope anybody knows something about this problem, because it is very hard to track down for me atleast.
If you need more input let me know.
Thanks
When looking at PHP mail(), I see another line breaking: shouldn't you use \r\n as line endings?
And that Björkman example looks very much like your mail is not recognized as UTF-8 encoded.
I've been struggling with low level mail in PHP and I know I should be using a library for this, but that's not an option right now.
When doing mail in PHP, you can manually set additional headers, like From, Cc and Bcc, but you can also set Subject, To and a Body. When you call the function you pass the headers along to the mail() function, but that function also "asks for" a Subject, body and To.
My question then is: how does PHP handle the double intention in this? If you manually set the header to have Subject : foo, but then in the call to mail pass 'foo' along as the subject...?
I can't read C, so opening up PHP source probably won't help me here.
Thanks!
Well, no need to read C, just test it: it's a one liner :)
If you specify a subject in both places PHP does nothing special: you get an e-mail message with two subject headers. Which one gets displayed in your e-mail client is something I don't know; perhaps it's defined in e-mail protocols, perhaps it's a per-client choice.
About the "To" header, PHP sets one from the $to parameter when you don't specify a header manually; if you set one, your header prevails.
It's worth noting that the "From" and "To" headers have no effect in who sends and receives the message: they're purely informative. Mail server software requires senders and recipients to be specified implicitly; headers are not parsed for this purpose.
The question here seems to be if you specify a 'To' or a 'Subject' in the additional headers, what appears in the email produced.
If so, then the simple answer is to test it:
$add_to ='to: "added" <user#example.com>"; // substituting your email address
$param_to ='"param" <user#example.com>";
$add_subj ='subject: Subject in header';
$param_subj='Subject in param';
$add_hdr=$add_to . "\n" . $add_subj;
mail($param_to, $param_subj, "body - test", $add_hdr);
Then have a look at the message you get back.
C.
Right way - don't use Subject, To and a Body in headers. You can remove it from heders with regular expression, if you take headers as is. Other way - you can use PEAR library - http://pear.php.net/manual/en/package.mail.mail-mime.example.php