CODEWITHSUNDEEP
phpemailheadercode-injection
BeNdErR
BeNdErR

Reputation: 17927

email header injection - example not working

first of all this question is for personal knowledge, and not for any kind of attack :) hope you'll believe me and give me some hints.

I'm trying to reproduce an example of mail header injection I found (link-> http://www.phpsecure.info/v2/article/MailHeadersInject.en.php). Basically it uses a form to get 3 parameters (subject, message and sender mail), then these parameters are sent with POST method and used in the php mail() function to an admin's mail.

Everything works fine, each mail is sent without problem but when I try to inject some other parameters as Cc, Bcc etc the trick doesn't work: neither \r & \n nor %0A & %0D are interpreted as CL and RF. For example, if I put [email protected]%0ACc:[email protected] in the "From" field, in "[email protected]" inbox I'll find the mail, with the same "From" field as it was sent ([email protected]%0ACc:[email protected]). Does php or does input tag encode (or unencode) properly the input? How can I make it work?

Hope you can understand my bad english, thanks in advance, best regards.

ps: the article I linked is dated 2005, recently I've found that a similar bug with http headers splitting using php function "header()" was fixed, so I thought that they fixed email headers injection problem too.. But I can't find anything on the web that confirms this.

______________________EDIT________________________________________

Example working, modifying header within php code:

$to = "[email protected]";
$sub = "this is the subject";
$msg = "this is the message";
$header = "From: [email protected]"."\r\n"."Cc: [email protected]";
$if(mail($to, $sub, $msg, $header."\n")){
    echo "sent";
}else{
    echo "error";
}

The email is correctly received both from [email protected] and [email protected]

Examples NOT working (this is the problem I'd like to solve with your help): First example not working

Second example not working

Once I send the mail with "send" button, only [email protected] will get the e-mail, and in the "from" detail (inside the mail) I'll find (1st case) [email protected]: [email protected] or (2nd case)[email protected]%0D%0ACc: [email protected].

Upvotes: 2

Views: 2320

Answers (1)

Shane Fright
Shane Fright

Reputation: 385

I always find i need to use both \r\n in order for the headers to be sent properly.

Upvotes: 1

Related Questions