Jump to content

exploiting mail() function


Hooch
 Share

Recommended Posts

Hi all. I was directed to a possible problem within the mail() function today. The following is a direct copy from the page I was sent to. Can someone verify this information?============================================================================================================================================================== PHP Security: Sending an emailIn this tutorial we'll speak about the dangers mail() brings with it.You probably wouldn’t expect it, but the well known function mail() is a often a goldmine for spammers. In this tutorial we’ll talk about the danger of using mail() in your PHP powered website.Much websites have sorts of email forms. But what much of the webmasters don’t know, is that with some code you can turn that simple form into a spammers base! When you have a field that should contain the email address of the sender, or receiver. The spammer could send additional data in the email, because the sender and receiver are stored into the header of an email. Basically what this means is that the spammer could change the email into an email that is send to numerous people, and contains spam!I will cut the example because you need to understand some email protocol. (or API whatever you want to call it)The remedyThe remedy is again very easy. The only thing you should do is check if the user has added a newline (\n) or carriage return (\r) into one of the email addresses.The way most people do it is like this:

<?php if (eregi("\r",$to)OR eregi("\n",$to)) { 	echo ‘No valid email address’;}	if (eregi("\r",$from) OR eregi("\n",$from)) { 	echo ‘No valid email address’;}?>

==============================================================================================================================================================Thank you for your time.

Link to comment
Share on other sites

Yeah, think about how you create the email. Most scripts that send email do something like this:

<?php$to	  = 'nobody@example.com';$subject = 'the subject';$message = 'hello';$headers = "From: {$_POST['email']}".mail($to, $subject, $message, $headers);?>

The only important thing there is the from address, which goes in the header. If you aren't validating the input field that email address comes from then someone could submit this as the email field:

from@domain.com\r\nCc: spamee1@domain.com, spamee2@domain.com, spamee3@domain.com, spamee4@domain.com\r\nLOL OMG PEN1S PILLS!!!!
So the $headers variable contains this:
From: from@domain.com\r\nCc: spamee1@domain.com, spamee2@domain.com, spamee3@domain.com, spamee4@domain.com\r\nLOL OMG PEN1S PILLS!!!!
Then when PHP builds the email to send to the mail agent the email looks something like this, with all the headers:
To: nobody@example.comSubject: the subjectFrom: from@domain.comCc: spamee1@domain.com, spamee2@domain.com, spamee3@domain.com, spamee4@domain.comLOL OMG PEN1S PILLS!!!!< your intended email text here >
So ain't that some crap? That's an email that gets sent to the person who your email form was supposed to get sent to, plus however many other people in the CC header, about buying pills that also happens to include whatever possibly-sensitive information that your email was going to contain, and the spam is coming from your server or hosting account.So yeah, it's something to avoid. Always validate anything you're using in the email headers, including the subject. Anything that comes from $_POST that goes into the email headers needs to be checked for line breaks.If you want to verify that this is working, have the part of your PHP script that checks for line breaks send you an email (a safe one) that contains the text that failed the validation to see what people are trying to use your form for. If you just put their text in the body and don't include anything from $_POST in the headers (hard code everything) then you can see what's going on.
Link to comment
Share on other sites

Great explanation guy. I am validating the email...

<?PHP// Create the syntactical validation regular expression$regexp = "^([_a-z0-9-]+)(\.[_a-z0-9-]+)*@([a-z0-9-]+)(\.[a-z0-9-]+)*(\.[a-z]{2,4})$";// Presume that the email is invalid$valid = 0;// Validate the syntaxif (eregi($regexp, $email)){list($username,$domaintld) = split("@",$email);if (getmxrr($domaintld,$mxrecords))$valid = 1;} else {$valid = 0;}return $valid;}

This will stop the \ character, so no line returns will be allowed. But I assume it would allow a bunch on one line. Here is my attempt to stop the multiple lines..

// Check the posted email for multiple emails.  Spammers may exploit the // mail() function and send out multiple emails.if (eregi("\r",$email)OR eregi("\n",$email)) { echo "<center>Please, only 1 email at a time.<br>";echo "Click back on your browser control or click ";echo "<a href=\"email.php\">here</a></center>";} else {}

How does that look?**questionI am having a problem with the code picking up the \n or \r .if I just use letters in the following code..

if (eregi("test",$email)OR eregi("test2",$email))

The code works perfect if the email has either test or test2 in it.If the code is as I 1st posted..

if (eregi("\r",$email)OR eregi("\n",$email))

It picks up every entry as having these values.Even a regular email like email@email.com will make this code true.(I'm getting sleepy)

Link to comment
Share on other sites

The eregi function always returns 1 if the optional third parameter is not sent (I'm not sure what the point of that is). It would be better to use strpos for this, you don't need the overhead of the regular expression engine if you just want to search for one character.if (strpos($email, "\r") !== false OR strpos($email, "\n") !== false)

Link to comment
Share on other sites

They might have other characters in their email address that for some reason need to be escaped... can't think of any at the moment though.

Link to comment
Share on other sites

  • 3 weeks later...

Hi, I've been trying to add this to my php form, but I can't get it to work. It still sends the e-mail. I think it is because my form is escaping characters. I tried to add a \n or \r in some of the fields, but it shows up as \\n and \\r when sent. Does that mean my form is safe from spammers trying to add \n or \r? Also, what would be adding the slashes? Could it be something like magic_quotes being turned on?Thanks!

Link to comment
Share on other sites

Yeah, think about how you create the email. Most scripts that send email do something like this:
<?php$to	  = 'nobody@example.com';$subject = 'the subject';$message = 'hello';$headers = "From: {$_POST['email']}".mail($to, $subject, $message, $headers);?>

The only important thing there is the from address, which goes in the header. If you aren't validating the input field that email address comes from then someone could submit this as the email field:So the $headers variable contains this:Then when PHP builds the email to send to the mail agent the email looks something like this, with all the headers:So ain't that some crap? That's an email that gets sent to the person who your email form was supposed to get sent to, plus however many other people in the CC header, about buying pills that also happens to include whatever possibly-sensitive information that your email was going to contain, and the spam is coming from your server or hosting account.So yeah, it's something to avoid. Always validate anything you're using in the email headers, including the subject. Anything that comes from $_POST that goes into the email headers needs to be checked for line breaks.If you want to verify that this is working, have the part of your PHP script that checks for line breaks send you an email (a safe one) that contains the text that failed the validation to see what people are trying to use your form for. If you just put their text in the body and don't include anything from $_POST in the headers (hard code everything) then you can see what's going on.

Hang on, why would the user have access to the from field? Wouldn't that be your own constant email address? Wouldn't they only have access to the "to" field.
Link to comment
Share on other sites

You can put anything you want in the from field, and in this case the user is meant to put his address in there. But he could put anything.

Link to comment
Share on other sites

You can put anything you want in the from field, and in this case the user is meant to put his address in there. But he could put anything.
No, I meant the user of the site. Why the webmaster allow a user to input his own value for the "from" field? Wouldn't the only field that needs user input be the "to" field, which isn't included in the header?
Link to comment
Share on other sites

No, I meant the user of the site. Why the webmaster allow a user to input his own value for the "from" field? Wouldn't the only field that needs user input be the "to" field, which isn't included in the header?
You would include a from field to know who to reply to. Say, the form was being used to request some information. Whoever the form sends the request to can click reply and send a message back to the user that was requesting info.By the way, no one answered my question about magic quotes being turned on, so if any one knows the answer, I would still appreciate it. I checked and magic quotes is turned on. If I leave that on, does it protect my scripts from spammers? I couldn't seem to add any other addresses to it.
Link to comment
Share on other sites

No, I meant the user of the site. Why the webmaster allow a user to input his own value for the "from" field? Wouldn't the only field that needs user input be the "to" field, which isn't included in the header?
Surely you've seen mail forms with a From text field, they're all over the place. The To, From, and Subject fields are all headers in the email that can all be exploited this way.
I tried to add a \n or \r in some of the fields, but it shows up as \\n and \\r when sent.
You're just sending the characters "\n" and "\r", not actual line breaks. If you make your text field a text area then you can add real line breaks to test it. People exploiting web forms like this don't fill them out by hand, they use scripts to submit whatever data they want (including line breaks). And yes, magic quotes is the reason you are having slashes added.
If I leave that on, does it protect my scripts from spammers?
No.
Link to comment
Share on other sites

Surely you've seen mail forms with a From text field, they're all over the place. The To, From, and Subject fields are all headers in the email that can all be exploited this way.
I know there are some forms with a from field, but not all of them have it - but if To: is also in the headers then I see the problem.
Link to comment
Share on other sites

You're just sending the characters "\n" and "\r", not actual line breaks. If you make your text field a text area then you can add real line breaks to test it. People exploiting web forms like this don't fill them out by hand, they use scripts to submit whatever data they want (including line breaks). And yes, magic quotes is the reason you are having slashes added.
Should I use stripslashes then and then check to see if they have entered in new line breaks? Thanks!
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...