Posted by Curt Zirzow on 11/18/05 06:32

On Thu, Nov 17, 2005 at 07:10:06PM -0500, Chris Drozdowski wrote:
> Hello,
>
> When using the mail() function to send a simple mail message, which
> specific parameters of the function need to cleaned to prevent mail
> injection?

This is a good topic. I'm in the process of writing an article on
it as well.

Consider:
mail ($to, $subject, $message, $additional_headers, $additional_parameters);

$to - yes (should clean)
----------
As we've seen validating emails tends to be a long discussion on to
properly accomplish the validation. Things to consider:

- Are you going to allow them to send to multiple emails.
- Do you want them to allow them to include the name of the
person the email is to: "Joe Something" <joe@something.com>

based on what ever validation you choose and what you want to
allow, the key things to watch out for are the comma (,),
semicolon (;), line feed/carriage return (\r and/or \n)


$subject - yes
----------
You want ensure that the \r and/or \n or properly removed (or
escaped)

$message - yes
---------------
This usually can go without any special escaping, unless you have
certain headers (the Boundary: header) or allow an injection into
the $additional_headers field. If this is the case a malicious
user could attach a virus to be sent anonymously.

$additional_headers - yes
-------------------------
As with $to, $subject you need to make sure \r and/or \n are
removed or escaped properly. The most common used header is the
From header:

From: "$fromname" <$fromemail>

As noted in the $message section, if you have dont take care in
ensuring this paramater isn't done correctly you could potentially
allow the user to setup their own Boundary: header, which then
would allow them to freely make what ever attachments they like.

Also this is where the open (well psudo open) relay occurs, if you
dont filter things properly, you can open up the CC: and BCC:
headers, allowing the person to anonymously send emails.

additional_parameters - very much yes
-------------------------------------
The most common value passed here is usually something like:

"-f $fromemail"

if you consider what this actually does, send parameters to the
sendmail binary directly you could open your self to exploits
unlreated to php itself. Caution should really be used when
allowing outside data to be used here.

>
> After reading http://securephp.damonkohler.com/index.php/
> Email_Injection, I gather the parameters that need to be cleaned to
> prevent mail injection are the $headers and the $additional_headers.

This is a nice article it rather makes me wonder if my article will
be as good as this one.

Curt.
--

[Back to original message]