email Injection – How to prevent it?

I persume that most of them would be knowing this attack and how to prevent it, but recently when i was googling i found out many feedback form scripts to be in secure. PHP is a majuscule and secure language, but it all depends upon the programmer style of coding. Anyway lets get started…

If you are on the way of writing your own form, make sure you indite in such a way that spammers dont hijack it and spam others using your form.Normally we use PHP’s mail() function to send email. Our script may contain the below code.

mail(” yourname@emailaddress.com”, ” Title “, $msg, “From: $emailAddr”);

The above does nothing new, just the traditional approach where yourname@emailaddress.com is the webmasters or receivers address and the sender address info would be in $emailAddr variable. Now lets come to attack, hopefully you can take a good look from here.

If you don’t sanitize the $emailAddr variable before calling the mail(), then the attacker can inject additional headers into your messages by placing lines in $emailAddr variable.

What does this sanitize mean in general – Well, for one, you’re going to inspect the data and make sure that it doesn’t contain any malicious code.

some-email-address@emailaddress.com
CC: another-email-address@emailaddress.com, yet-another-email-addresses@emailaddress.com, etc-etc@emailaddress.com

The mail() function will insert these lines into your header and pass it to the mail agent, which will deliver the mail to everyone in the list. Now your form is hijacked and you have been a victim of someones attack.

Prevention is better than cure

Now lets look on how to make our script secure, by preventing this attack.There are chances where you have to look that the user has not entered any malicious javascript code. There are many ways and lots of attack to be prevented, but for now lets look on this alone.

if ( ereg( “[\r\n]“, $name ) || ereg( “[\r\n]“, $emailAddr ) ) {

redirect the user to error page and note down the IP address.

}

$name will hold the visitors name and $emailAddr will contain the visitors email address. The function ereg will help us to find if there is a new line characters. The characters like carriage return[ \r ] and line feed [ \n ] creates a new line in email headers which will allow for a new CC: line. Now our code will detect if there is a new line, if it is then the user is directed to an error page. Make sure you prevent this attackm else your script might inadvertantly be abused to send spam to others without your knowing.

Popularity: 1% [?]