Posted by Gordon Burditt on 10/21/18 11:34

>> Are the contents of $to and $subj in any way whatever dependent
>> on form input? Is there any way either of those variables could
>> be made to contain a newline or carriage return? If so, that's
>> how they are doing it. Remember, the spammer NEED NOT use your
>> form so any Javascript checking is useless.
>>
>> Look at the headers of any mail message, and consider what
>> happens if $subj = "Make Money fast\r\nCc: spamee@aol.com".
>>
>> Gordon L. Burditt
>
>$to is not dependent on form input, but $subj is. This explains it --
>I wanted to make sure because all the information I found on email
>injection stated the header was used to mainpulate the form.

The subject *IS* a header. If it's not in the body of the
message, it's a header.

>However,
>knowing what I know of mail() and Unix in general, it seemed possible
>to inject arbitrary headers elsewhere if the parameters were simply
>appended and the call translated to a raw text stream anyway, which
>looks like the case.

Mail is always transmitted as a text stream. That's what mail is.

You cannot inject headers after the first blank line (which separates
the headers from the body). $to, $subj, and $additional_headers
are headers.

Go to the page for the mail() function on php.net. Note that the
subject parameter is described as "This must not contain any newline
characters, or the mail may not be sent properly". Consider this
as something you *MUST ENFORCE*. Not mentioned are carriage return
characters, which also need to be eliminated. And don't remove the
offending characters. DON'T SEND THE MAIL, PERIOD. Provide the
user a nice message that he's a spammer and he's going to burn
in hell for a googol eternities.

If your ISP does not run *OUTGOING* mail through SpamAssassin and
an antivirus program, YOU should before sending it.

Gordon L. Burditt

[Back to original message]