Posted by Justin Koivisto on 09/30/47 11:34

xmp333@yahoo.com wrote:
>
> A spammer is apparently using email injection on my form, however my I
> thought email injection requires mainpulation of the headers parameter
> in mail() and I'm not using that parameter. My mail call looks like:
>
> mail($to,$subj,$body)
>
> So how is the spammer getting me? Is mail() translating to a raw
> stream so that headers can be inserted in the body, or is there some
> kind of buffer overflow that can be exploited? Since I'm using dynamic
> variables, I can't see how this would occur, but then I'm no PHP
> expert.
>
> Any help would be greatly appreciated. I know beefing up input
> validation should take care of this, but I want to understand what the
> spammer is doing so I can reproduce and validate this fix.

Some things that I like to do when processing forms...

On the page that has the form, generate some kind of token, store and
send with request:

<?php
session_start();
$token = md5('my secret'.microtime().'other secret');
$_SESSION['token'] = $token;
echo '<input type="hidden" name="token" value="',$token,'" />";
?>

on the receiving page...

<?php
session_start();
if(isset($_POST['token']) && $_SESSION['token']==$_POST['token']){
// this POST request should be a submission of my form, not a spoof
}else{
// the form submission was spoofed...
}
?>

In addition to that, I also do some flat-out rejection stuff as well...
Since I know the fields and what to expect, I run this test on all
fields that should NOT contain a line break of any type:

if(preg_match('`[\r\n]`',$_POST['fieldname'])){
// here, we found a newline or carriage return
// corrupted data should be set to empty string
$_POST['fieldname']='';

// decide how to handle this condition...
}

Most of the time if I find this, I'll report an error and ask for
resubmission, but in some cases (depending on the application) I will
simply kill execution.

--
Justin Koivisto, ZCE - justin@koivi.com
http://koivi.com

[Back to original message]