E-Mail Header Injection Attack :: Security 1st

Problems with the Mac OS X version of XAMPP, questions, comments, and anything related.

E-Mail Header Injection Attack :: Security 1st

Postby jmdirc » 06. November 2009 03:27

Just found this article from New York PHP, thought it a good place to mention it. I don't know if Apache Friends allows articles outside of software specific - but if they don't mind...

Security is an issue for, or should be, for everyone who creates websites, specially dynamic websites where user input is expected. With the now popular e-mail injection, the script writer needs to be ever more vigilant in his coding practices. When we write code for websites we need to have security on our minds, from start to finish.

The following is from the article mentioned above and is suggested to help prevent the e-mail injection attacks:

To prevent an email header injection attack, you need to filter all input data including any other fields on your forms (such as hidden fields) that may be used by your scripts in the creation of an email. The actual filtering implementation is a matter of programming style.

Filter Before Submit

You can prevent the attack by performing a data validation procedure that will not allow a script to run until the unwanted strings have been removed. For example, the following patterns can be used with PHP's preg_match function. If the function returns false, you can prevent the user from proceeding.

Pattern for filtering fields such as names
Code: Select all
'/^[a-z0-9()\/\'":\*+|,.; \- !?&#$@]{2,75}$/i'

Pattern for filtering email addresses
Code: Select all

For example, using the pattern for email addresses, you might do the following:

Code: Select all
$emailPattern = '/^[^@\s]+@([-a-z0-9]+\.)+[a-z]{2,}$/i';
    if (!preg_match($emailPattern, $emailFieldToTest)) {
   print 'Please review the email address you entered. There seems to be a problem';

Filter After Submit

You can allow a user (or, in this case, the botnet) to submit the form but then clean the data prior to actually processing it. A function like the one below can be used for this purpose.

Code: Select all
function safe( $name ) {
   return( str_ireplace(array( "\r", "\n", "%0a", "%0d", "Content-Type:", "bcc:","to:","cc:" ), "", $name ) );

 NOTE: str_ireplace is a PHP5 function. If you are using an
 earlier version of PHP, you can use preg_replace
 with the i modifier.

Another method for filtering after the submit might look like the following. Be sure to change $_POST to $_GET if you are using that method.

Code: Select all
foreach( $_POST as $value ){
  if( stripos($value,'Content-Type:') !== FALSE ){
    mail('admin@somehwere.com','Spammer Bot Attempt',$_SERVER['REMOTE_ADDR']);
     exit("{$_SERVER['REMOTE_ADDR']} Has been Recorded");

Contributing authors:
Rolan Yang
Chris Snyder
Billy Reisinger
Ken Robinson
Hans Zaunere
Chris Shiflett
Jordan Bradford
the PHundamentals team: Jeff Siegel and Mike Southwell "

A must read for the web programmer. Read the article in its entirety HERE
An artist/designer/ and now programer exploring the creative sides.
User avatar
Posts: 154
Joined: 10. February 2008 22:44

Return to XAMPP for macOS

Who is online

Users browsing this forum: No registered users and 4 guests