By the term E-Mail injection one understands a using of a safety gap in an application of Web, it an aggressor permitted over an unprotected form for contact without knowledge and a-amplifier-change-eats the operator enamel to send away. The principal interest of the aggressor might be thereby the dispatch of Spam. The term was derived from the safety gap SQL injection.

Function mode

This safety gap consists of the fact that the data without further examination, entered into a form for contact, are passed on at the Mailserver. It benefits the aggressor with the fact that the headers (E-Mail) - stand for information line by line at the beginning of the E-Mail and some programming languages for applications of Web themselves no examination of the data with the dispatch of a E-Mail make. The procedure of the E-Mail injection consists of, single-line inputs to be e.g. filled as the reference of the inquiry, with information of several lines. For example further receivers, if necessary also than CC or BCC, can be set, even if the programmer of the application of Web gave a receiver address firmly.

Spreading

While to 2004 this gap admits, but it was only isolated used, accumulates themselves up since 2005 the messages that search Bots examine similarly the one search machine generally speaking extent of forms for web pages with the Brute Force method for a vulnerability regarding this safety gap. It is to be expected that the information here collected is used in the near future to the dispatch by Spam in larger extent.

Example

The following code shows the data of such HTTP Requests to a form for contact of an application of Web written in PHP.

$_REQUEST = array {["“more name_absender"”] => stringer (215) "“OF content type: text/plain; charset= \ "“US ASCII \"” MIME version: 1,0 content transfer Encoding: 7bit Subject: nton on incoln. e D bucked off befure bcc: charleslegbe@aol.com ec36ff5aa45502446284c4f3ce2b3896. "“} 

Stands $_REQUEST for the array, which contains all variables, which were given to the HTTP Request. That is in this case only the variable "„more name_absender "“. This is a stringer of 215 indications, which extends over nine lines. If the application of Web builds to the names of the sender now into the header of a E-Mail, the E-Mail is sent inadvertently also to the indicated address with the Provider AOL. Here it concerns not yet sending Spam, but rather around the test whether the form for contact concerned is susceptible to the safety gap. The line with the 32 indications will be probably a Hash value, with which the aggressor coded the URL of the unprotected form for contact, in order to identify it later again.

Preventive measures

In various Internet forums a quantity of partial or not at all effective preventive measures circulate. In addition purposeful locking of a certain search Bots out belongs on the basis the E-Mail address used by it, checking the Referers with the processing of the inputs or exclusive accepting of inputs over HTTP POST OFFICE from Kontaktformular.Die only effective measure is preventing line pagings in variables, which are to be inserted later into the header of the E-Mail. Whether one shortens thereby a stringer of several lines on the first line or interrupts with the statement of line pagings the processing of the program, is released to the programmer thereby.

See also

• CROSS Site Scripting
• Safety gap
• Computer security

Related links

• http://www.heise.de/security/artikel/66815

Articles in category "E-Mail injection"

We found here 2 articles.

Related Websites

We found here 4 related websites.

• Computing.Net - Prevent form email injection..HOW
  This is my sendmail code, how would I change this to prevent bot's from injecting my code $to = 'email@domain.com; $subject = $_POST['subject']; $m...


• Email Injection - SecurePHP
  Email Headers Injection Using mail() Function (French). tobozo. English translation. Retrieved from "http://www.securephpwiki.com/index.php/Email_Injection" ...


• Email injection - Wikipedia, the free encyclopedia
  Email injection is a security vulnerability that can occur in internet applications ... Like SQL injection attacks, this vulerability is a general class of ...


• Justin Mason: Happy Software Prole
  Email Injection attacks in PHP via mail(). December 8, 2005 at 8:22 pm. Apparently, spammers are now exploiting a hole, or holes, in multiple PHP scripts ...