Coded a contact form? HEADER INJECTION: Something you guys might not know about - Developers

When coding contact forms, most people don’t realize that unless they’ve taken the necessary measures, it will probably be vulnerable to header injections. This basically means that the attacker can put his own [B]To[/B] and [B]From[/B] into the email headers using the textarea or inputs in the contact form. Why do people do this? For sending email spam. I found an article on anders.com, it explains this very well. [URL]http://anders.com/projects/sysadmin/formPostHijacking/[/URL] Basically, you're going to want to strip out [B]\r[/B] and [B]\n[/B] from the user input that you use in the mail() function. regex is the easiest way to do this: [PHP] $_POST['name'] = preg_replace("/\r|\n/", "", $_POST['name']); $_POST['email'] = preg_replace("/\r|\n/", "", $_POST['email']); $_POST['message'] = preg_replace("/\r|\n/", "", $_POST['message']); //And then you can safely use the above variables in the mail() function. [/PHP] Just a little something to think about if you've made your own contact forms at some point. They may be susceptible to header injection, so watch out! I wrote more about this on my blog, but I've basically covered everything in this post. [url]http://atomiku.com/2012/12/contact-form-hijacking-how-to-secure-your-contact-forms/[/url] ~atomiku

Sounds like typical PHP when a helper function barely helps. It's just a tiny notch up from actually connecting to the SMTP server with sockets. Personally, I would make a class that would be used for safely sending email and would store headers you pass to it in an array with newline characters stripped. I think that would be a far more elegant solution than just copying the same preg_replace line and changing it for every user-defined field you want to sanitise.

[QUOTE=SteveUK;39006053]Sounds like typical PHP when a helper function barely helps. It's just a tiny notch up from actually connecting to the SMTP server with sockets. Personally, I would make a class that would be used for safely sending email and would store headers you pass to it in an array with newline characters stripped. I think that would be a far more elegant solution than just copying the same preg_replace line and changing it for every user-defined field you want to sanitise.[/QUOTE] Or better yet, use somebody else's class who has already found the best solution to sanitisation.

SteveUK, cyber_cam34: Very good point! In fact, it would be worth mentioning that in my blog post and OP. Originally, this was aimed at people who had knocked up a quick contact form page in five minutes using the mail() function, like I have done a couple of times in the past. This may still be handy for those who don't want to put the effort in to finding a mail/SMTP class and changing their code. I found the PEAR MAIL::SMTP module to work quite nicely. That's only if you have an SMTP server+account to send from, though. Actually, mail() is pretty horrible and unreliable, and will end up in the spam box in most cases - spam filters don't like mail that hasn't been sent from a verified source.

You know mail() requires a SMTP server too?

[QUOTE=SteveUK;39030473]You know mail() requires a SMTP server too?[/QUOTE] Yes, but on linux in most cases it will use sendmail. And I quote: [QUOTE]On a *nix machine, the PHP mail() function does not support SMTP, but instead uses the sendmail() or other configured mail script on the server.[/QUOTE] That was quoted from stackoverflow, although I think he's wrong about *nix PHP' mail() function not supporting SMTP... I'm pretty sure it does.