[Mimedefang] OT: Don't let this happen to you

Kelson kelson at speed.net
Wed Feb 15 13:05:03 EST 2006

Steffen Kaiser wrote:
> You've wrote that you've disabled CGI --
> Dunno, but I wouldn't weight PHP more secure than "general" CGI ??

With header injection attacks, it doesn't really matter whether the 
target is PHP or CGI.  It's a matter of how the message actually gets 
sent.  With PHP's mail function, you build up the headers in a single 
string and the whole thing is passed to sendmail.  Any To:, Cc:, or Bcc: 
fields found in that list are added to the recipients.  A CGI script 
that called sendmail with the -t option would have the same problem:

If the script takes user input for any header, it's possible for an 
attacker to pass in something like
     "I have a question\nBcc: probeaddress at example.com"
and insert extra headers into the outgoing message.  If they add "\n\n" 
they can even insert their own message body.

This could probably be avoided if PHP's mail function used some sort of 
structure for the headers where each header was a separate string, but 
as things are you need to sanitize any user-supplied data that you use 
in any header.

One way you can test your own scripts for this is to create a copy of 
your form and replace all your <input> and <select> elements with 
<textarea> (even checkboxes and radio buttons).  That way you can try 
passing the script multi-line fields and see whether it accepts the 
extra lines, strips them out, or converts the newlines to spaces and 
wraps the extra-long headers.

Kelson Vibber
SpeedGate Communications <www.speed.net>

More information about the MIMEDefang mailing list