Posted by J.O. Aho on 02/27/06 03:38

LAshooter wrote:
> I've seen a number of sites talking about how easy it is to use mail
> injection to compromise PHP mail forms, but I'm not having any luck finding
> an "easy" way to block this. Is there a script or class that can be
> implemented to secure basic feedback forms?

What you need to do is to remove Bcc: and Cc: from the header or see to that,
these are usually added to the "From:" part of the form, as this is the mail
header part in mail().

Say you have a form with a input field where the user can enter their e-mail
address, instead of just doing that, they add other header information, eg

silly@example.net \r\n Cc: wespam@example.com \r\n


The thing that people usually do is to use post values directly in the mail()
function, eg

$from = $_POST['from'] . "\r\n";
mail('me@example.net',$subject,$message,$from);

now using that $from in mail will make the mail to be Cc:ed to
wespam@example.com too.

A quite simple protection could be to use

$from = eregi_replace("\r\n","",$_POST['from']) ."\r\n";
mail('me@example.net',$subject,$message,$from);

This ensure you have one long row with the junk that the spammer added in the
from:. Better is of course to move the from: to the message instead

$from = eregi_replace("\r\n","",$_POST['from']) ."\n";
mail('me@example.net',$subject,"This mail is from: ".$from.$message);

If you want to reply, it's quite simple to cut and past the mail address from
the message to the To: in your mail client and you get less risk for the
injection.

You can look at the user comments for the mail() function
http://www.php.net/manual/en/function.mail.php


//Aho

[Back to original message]