[Mimedefang] OT: Don't let this happen to you
Kelson
kelson at speed.net
Wed Feb 15 13:05:03 EST 2006
Steffen Kaiser wrote:
> You've wrote that you've disabled CGI --
> Dunno, but I wouldn't weight PHP more secure than "general" CGI ??
With header injection attacks, it doesn't really matter whether the
target is PHP or CGI. It's a matter of how the message actually gets
sent. With PHP's mail function, you build up the headers in a single
string and the whole thing is passed to sendmail. Any To:, Cc:, or Bcc:
fields found in that list are added to the recipients. A CGI script
that called sendmail with the -t option would have the same problem:
If the script takes user input for any header, it's possible for an
attacker to pass in something like
"I have a question\nBcc: probeaddress at example.com"
and insert extra headers into the outgoing message. If they add "\n\n"
they can even insert their own message body.
This could probably be avoided if PHP's mail function used some sort of
structure for the headers where each header was a separate string, but
as things are you need to sanitize any user-supplied data that you use
in any header.
One way you can test your own scripts for this is to create a copy of
your form and replace all your <input> and <select> elements with
<textarea> (even checkboxes and radio buttons). That way you can try
passing the script multi-line fields and see whether it accepts the
extra lines, strips them out, or converts the newlines to spaces and
wraps the extra-long headers.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
More information about the MIMEDefang
mailing list