AFAIK there is only a vulnerability within the HEADERS of an email when using user data correct?
I am using the below function to sanitize my data, however I have some textarea fields on the page & hence these may contain linebreaks.. so was wondering if that user data is only going to be put in the body of the email, can it not bother with being sanitized - apart from stripping html of course?
Here is the function:
function is_injected($str) {
$injections = array('(\n+)',
'(\r+)',
'(\t+)',
'(%0A+)',
'(%0D+)',
'(%08+)',
'(%09+)'
);
$inject = join('|', $injections);
$inject = "/$inject/i";
if (preg_match($inject,$str)) {
return true;
} else {
return false;
}
}
As a side note, surprised there wasn't currently a tag for mail-injection / email-injection.
Email injection is a security vulnerability that allows malicious users to send email messages using someone else's server without prior authorization. A malicious spammer could use this tactic to send large numbers of messages anonymously.
SMTP header injection vulnerabilities arise when user input is placed into email headers without adequate sanitization, allowing an attacker to inject additional headers with arbitrary values.
HTML Injection also known as Cross Site Scripting. It is a security vulnerability that allows an attacker to inject HTML code into web pages that are viewed by other users.
There's a possible injection in the body text if you're speaking native SMTP to the mail server.
A single .
on its own terminates the current body in SMTP, so in theory you could have user supplied input like this:
some body text
.
MAIL FROM: <...>
RCPT TO: <...>
DATA
Subject: here's some spam
here's a new body
and the SMTP server might allow the second message through.
Some SMTP servers can be configured to prevent this by not allowing SMTP commands to be pipelined (i.e. requiring the client to read the response before permitting the next command).
If the email's an HTML mail, and particularly if the receiver's going to be viewing it in a web-based email (Hotmail, Gmail, Yahoo, etc...) or an email client that supports HTML views, then injection into the body is definitely a concern - XSS can happen anywhere.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With