ansaurus

Question

Is there any risk of injection in PHP's mail() function?

Answer 1

+4 A:

As long as all user-stuff i's kept in the mail body, then there is no risk of injection.

However, as soon as a user can affect mail headers, then they can inject extra headers and do things like use it to spam arbitrary e-mail addresses or include a completely different message - including attachments.

If you check for newlines in the parts that affect the headers, and reject if it appears, then that should be enough. The SMTP standard uses CRLF to separate the header lines, but AFAIK, many Unix-based servers want you to only use LF (because that's the native line separator on those systems). The mail relayer then converts it when sending it further upstream.

Michael Madsen 2010-01-02 21:36:23

Seconded. There is no direct risk here because everything's in the body but it's important to keep in mind that headers are vulnerable.

Pekka 2010-01-02 22:15:32

Answer 2

+1 A:

PHP is full of unsafe stuff, but I'm not sure there's a lot of risk here.

Certainly a too-long comment could overflow whatever limit you might have on message size. That probably won't hurt you.

PHP's $XXX syntax expands the string, but doesn't do any further evaluation of the XXX does it? If $XXX worked like some kind of eval(), you'd be in for a world of remote code execution, but I don't think that's the case.

If this is inwardly doing SMTP, then a . on one line followed by a blank line would signal the end of a mail, and theoretically an attacker could follow that up with more text in successive lines to hijack your mailer to mail some other message to someone else. That's if PHP doesn't recognize and escape such a string in the first place. This is something I'd look into.

Carl Smotricz 2010-01-02 21:38:12

no it doesn't do any eval. just years of working with sql has made me nervous, since there is always a risk of SQL injection in that case

Jenni 2010-01-03 02:14:19

Answer 3

+3 A:

Be aware of the newline character inside the name. Two consequent (erm.. pardon my English, two newlines one after another) newlines mean "end of headers" in SMTP.

Also, the sequence `\n.\n' (empty line with only a period) means "end of message".

EDIT: Yes, there is a risk of spammers! What if the $name actually contains:

 someonesName
 CC: [email protected]; [email protected]

(i.e. something to inject more headers)?

EDIT2: didn't notice that "name" and "comment" were both in the body part of the message. Then my idea about spammers is not valid.

naivists 2010-01-02 21:40:46

adding a CC header in there won't actually cause the email to be delivered to those addresses, it's the envelope address that's used to determine that. But Reply-to: headers could be added and probably Content-type: and then a mime body containing a virus...! I think you need to check that the name and comment fields are suitable

John Burton 2010-01-02 22:12:43

@naivists: I just tried this and the `\n.\n` doesn't seem to be a problem, i got all three "test" lines in the message: `mail('[email protected]', '', "test message: test1\n.\ntest2\n\n.\n\ntest3", "From: [email protected]");`

Jenni 2010-01-03 02:38:16

also, i think you meant "consecutive" :)

Jenni 2010-01-03 02:40:07

ansaurus

tags:

views:

answers:

Is there any risk of injection in PHP's mail() function?

related questions