Posted by stirrell on 08/07/06 20:23

Hello Miguel and Steven,

That's what I thought too - that something put into the body should not
be able to affect the headers of the email. But I don't see how else
this injection could have been done except through the message body
since that is the only object I wasn't checking for an injection
attempt (and the script caught a bunch of other attempts made through
other fields). I've thought about removing the checks for line breaks
and just looking for cc: and bcc: and then including the message body
but I didn't know if that would open me up at all.

Thank you for the tips. I will put them into place. Though if the
injection is through the body (does anyone else think this is
possible?) then using Miguel's clean_header_data wouldn't stop the
injection since it is going through the other form element.

Thanks again!

Sincerely,
Scott

Miguel Cruz wrote:
> Steven Musumeche <stevenmusumeche@yahoo.com> wrote:
> > stirrell@integrastrategic.com wrote:
> >> You're right - I probably am checking more than I need to but I
> >> figured it didn't hurt to check those inputs and I was trying to
> >> make sure I wasn't missing anything. Here is a copy of the message
> >> from the bounceback that I got from the server. To me, it looks like
> >> a successful injection attempt.
> >
> > You should also check the message for BCC, CC, etc. I had a problem in
> > which the injection attack was being successfully done in the message
> > body part of my contact form.
>
> Really? That shouldn't happen. If that works, then I could just send you
> an email with a thousand extra bcc's and your defective mail server
> would spam for me, no need for a PHP hole.
>
> miguel
> --
> Photos from 40 countries on 5 continents: http://travel.u.nu
> Latest photos: Malaysia; Thailand; Singapore; Spain; Morocco
> Airports of the world: http://airport.u.nu

[Back to original message]