Injection to the mail command when only $text is user input

Question

Is there any security risk of injection in the following PHP script?

<?php
$empfaenger_1 = "test@example.com";
$sender = "test@example.com";

$name = $_POST['name'];
$telefon = $_POST['phone']; 
$betreff = "Test";

$text =
"Please contact me

Name: $name
Telefon: $telefon";

mail($empfaenger_1, $betreff, $text,"from:$sender");

$url = htmlspecialchars($_SERVER['HTTP_REFERER']);
echo "<center><br><br>Thank you<br><br>";
echo "<center><a href='$url'>Back</a>";

Answer 1

Injection in mail

Here the risk appears minimal. A couple of answers here point to the possibility of HTML injection into the email. For HTML emails, this is a possibility, but HTML mail messages will have the Content-type header set to text/html or as a part of a multipart message. RFC 1521 stipulates that a HTML content-type must be set explicitly, and that if no content type is specified that plain text is default:

Default RFC 822 messages are typed by this protocol as plain text in the US-ASCII character set, which can be explicitly specified as "Content-type: text/plain; charset=us-ascii". If no Content-Type is specified, this default is assumed.

In the above code, the user-provided text is inserted after the headers; an attacker would have no opportunity to change the content type (either to HTML or to multipart, the latter allowing injection of a MIME boundary).

The end result cannot be anything but a plain text message. If a user injects HTML tags into the message, the person reading the email would see those HTML tags in the message. Email clients generally don't opportunistically examine plaintext messages to locate and parse embedded HTML and JavaScript.

Injection elsewhere

While the use of mail is probably safe, there is a potential injection vulnerability in the remaining code:

$url = htmlspecialchars($_SERVER['HTTP_REFERER']);
echo "<center><a href='$url'>Back</a>";

By default, htmlspecialchars uses the ENT_COMPAT | ENT_HTML401 flags, which does not convert single quotes to '. The link href attribute is delimited with single quotes. So if an attacker can coerce the HTTP referrer to include a single quote, he/she can invoke a routine XSS attack. (for instance, if referrer is coerced into the equivalent of http://whatever/a' onclick='alert(), clicking the link can invoke arbitrary JavaScript. To resolve this, either place "$url" on the second line in double quotes, or call htmlspecialchars with the ENT_QUOTES flag.

Answer 2

If the client that opens the email in html view mode, and the user injects script, then yes, it's vulnerable to XSS, and by extension, CSRF. You should, of course, sanitize all untrusted input.

More specific XSS protection information can be found at the OWASP web site.

Answer 3

I think mail injections are only possible in header fields. Mail injections into body text are not know to me.

Anyway look out for XSS, you should use strip_tags():

$name = strip_tags($_POST['name']);
$telefon = strip_tags($_POST['phone']); 

Answer 4

There is possibility yes, one can inject javascript code for example if someone put this as their name:

<script type="text/javascript">

window.location = "http://www.google.com/"

</script>

Anyone viewing that name would be redirected to google.com; You can prevent this by saying:

$name = htmlentities(strip_tags($_POST['name']));