|  | header injection in mail | | |
| | | Jeff |  |
|  Posted: Mon Sep 01, 2008 7:31 pm Post subject: header injection in mail |  |
I'm writing my php "form mail" script.
Does mail do any checking for header injection in the "to" and
"subject" parameters? CR and/or LF? It seems to me it easily could and
should, but does it?
Jeff |
| |
| | | Michael Fesser | |
| | Posted: Mon Sep 01, 2008 7:47 pm Post subject: Re: header injection in mail | |
..oO(Jeff)
| Quote: | I'm writing my php "form mail" script.
Does mail do any checking for header injection in the "to" and
"subject" parameters? CR and/or LF?
|
No. mail() is a rather low-level tool. You are responsible for feeding
it correct data.
BTW: CR and LF are not the only things to worry about in the TO: field.
This header also allows multiple comma-separated mail addresses ...
| Quote: | It seems to me it easily could and
should, but does it?
|
May I suggest PHPMailer?
LINK
This class does all the things you want and need. It's not that
difficult to get used to it and it works just great. Can't get easier.
Micha |
| |
| | | Chuck Anderson | |
| | Posted: Mon Sep 01, 2008 9:09 pm Post subject: Re: header injection in mail | |
Michael Fesser wrote:
| Quote: | .oO(Jeff)
I'm writing my php "form mail" script.
Does mail do any checking for header injection in the "to" and
"subject" parameters? CR and/or LF?
No. mail() is a rather low-level tool. You are responsible for feeding
it correct data.
BTW: CR and LF are not the only things to worry about in the TO: field.
This header also allows multiple comma-separated mail addresses ...
It seems to me it easily could and
should, but does it?
May I suggest PHPMailer?
LINK
This class does all the things you want and need. It's not that
difficult to get used to it and it works just great. Can't get easier.
Micha
|
Are you saying PhpMailer filters out comma separated email addrs,
CRLF's, etc., ... from headers?
--
*****************************
Chuck Anderson • Boulder, CO
LINK
Nothing he's got he really needs
Twenty first century schizoid man.
*********************************** |
| |
| | | Twayne | |
| | Posted: Mon Sep 01, 2008 11:03 pm Post subject: Re: header injection in mail | |
| |  | |
| Quote: | Michael Fesser wrote:
.oO(Jeff)
I'm writing my php "form mail" script.
Does mail do any checking for header injection in the "to" and
"subject" parameters? CR and/or LF?
No. mail() is a rather low-level tool. You are responsible for
feeding it correct data.
BTW: CR and LF are not the only things to worry about in the TO:
field. This header also allows multiple comma-separated mail
addresses ...
It seems to me it easily could and
should, but does it?
May I suggest PHPMailer?
LINK
This class does all the things you want and need. It's not that
difficult to get used to it and it works just great. Can't get
easier. Micha
Are you saying PhpMailer filters out comma separated email addrs,
CRLF's, etc., ... from headers?
|
Well, with hype like :
" strategies to get your emails past spam checkers, and specifications
for popular servers.
... more "
on their opening page, I'd say they should be drilled into the ground
until they meet lava and than another quarter mile just for good
measure. That soured me on them pretty quickly - they're spammer
friendly and the only good spammer is a dead spammer. |
| |
| | | Chuck Anderson | |
| | Posted: Mon Sep 01, 2008 11:10 pm Post subject: Re: header injection in mail | |
| | | |
Twayne wrote:
| Quote: | Michael Fesser wrote:
.oO(Jeff)
I'm writing my php "form mail" script.
Does mail do any checking for header injection in the "to" and
"subject" parameters? CR and/or LF?
No. mail() is a rather low-level tool. You are responsible for
feeding it correct data.
BTW: CR and LF are not the only things to worry about in the TO:
field. This header also allows multiple comma-separated mail
addresses ...
It seems to me it easily could and
should, but does it?
May I suggest PHPMailer?
LINK
This class does all the things you want and need. It's not that
difficult to get used to it and it works just great. Can't get
easier. Micha
Are you saying PhpMailer filters out comma separated email addrs,
CRLF's, etc., ... from headers?
Well, with hype like :
" strategies to get your emails past spam checkers, and specifications
for popular servers.
... more "
on their opening page, I'd say they should be drilled into the ground
until they meet lava and than another quarter mile just for good
measure. That soured me on them pretty quickly - they're spammer
friendly and the only good spammer is a dead spammer.
|
You misunderstand. ISP mail servers have become more stringent about
requiring certain protocols. Phpmailer is assuring you that it will get
you through all the proper protocols, not that it will perpetrate deception.
--
*****************************
Chuck Anderson • Boulder, CO
LINK
Nothing he's got he really needs
Twenty first century schizoid man.
*********************************** |
| |
| | | Michael Fesser | |
| | Posted: Mon Sep 01, 2008 11:50 pm Post subject: Re: header injection in mail | |
| | | |
..oO(Twayne)
| Quote: | Michael Fesser wrote:
May I suggest PHPMailer?
LINK
This class does all the things you want and need. It's not that
difficult to get used to it and it works just great. Can't get
easier. Micha
Are you saying PhpMailer filters out comma separated email addrs,
CRLF's, etc., ... from headers?
Well, with hype like :
" strategies to get your emails past spam checkers, and specifications
for popular servers.
... more "
on their opening page, I'd say they should be drilled into the ground
until they meet lava and than another quarter mile just for good
measure. That soured me on them pretty quickly - they're spammer
friendly and the only good spammer is a dead spammer.
|
The next time please read a bit further before you blame them for being
spammer friendly. All they do is offering help in order to prevent false
positives, because many big host's spam filters are too restrictive or
use techniques that you might have to take into account when sending an
mail from a script. Same thing for the mentioned server specifications -
it's just helpful info.
Micha |
| |
| | | Michael Fesser | |
| | Posted: Mon Sep 01, 2008 11:50 pm Post subject: Re: header injection in mail | |
..oO(Chuck Anderson)
| Quote: | Michael Fesser wrote:
May I suggest PHPMailer?
LINK
This class does all the things you want and need. It's not that
difficult to get used to it and it works just great. Can't get easier.
Are you saying PhpMailer filters out comma separated email addrs,
CRLF's, etc., ... from headers?
|
Headers are secured, but the addresses are still your task. There's no
input validation for them in PHPMailer. The script can't know if you
want to use a single address or multiple ones, so you have to check that
yourself before creating the email.
Micha |
| |
| | | RJ_32 | |
| | Posted: Tue Sep 02, 2008 1:34 am Post subject: Re: header injection in mail | |
Michael Fesser wrote:
| Quote: | May I suggest PHPMailer?
LINK
This class does all the things you want and need. It's not that
difficult to get used to it and it works just great. Can't get easier.
|
Does it get past Hotmail's spam filtering? |
| |
| | | Jeff | |
| | Posted: Tue Sep 02, 2008 2:51 am Post subject: Re: header injection in mail | |
| | | |
Michael Fesser wrote:
| Quote: | .oO(Jeff)
I'm writing my php "form mail" script.
Does mail do any checking for header injection in the "to" and
"subject" parameters? CR and/or LF?
No. mail() is a rather low-level tool. You are responsible for feeding
it correct data.
BTW: CR and LF are not the only things to worry about in the TO: field.
This header also allows multiple comma-separated mail addresses ...
It seems to me it easily could and
should, but does it?
May I suggest PHPMailer?
|
Yes!
| Quote: |
LINK
This class does all the things you want and need. It's not that
difficult to get used to it and it works just great. Can't get easier.
|
Certainly looks like a snap to send attachments and multipart. Not easy
in perl!
A few questions though.
Do you have to set the mail transport and host?
why this?:
$body = eregi_replace("[\]",'',$body); // for html
and for plain text do I just need to set word wrap and do:
$mail_instance->Body = $message;?
Jeff
|
| |
| | | RJ_32 | |
| | Posted: Tue Sep 02, 2008 3:32 am Post subject: Re: header injection in mail | |
Jeff wrote:
| Quote: | Michael Fesser wrote:
.oO(Jeff)
May I suggest PHPMailer?
Do you have to set the mail transport and host?
|
if you want to send via SMTP, yes. That's not set by default.
or instead of isSMTP(), you can send by calling IsSendmail or IsQmail or even
IsMail
| Quote: |
why this?:
$body = eregi_replace("[\]",'',$body); // for html
|
good question, why strip backslashes? are they worried about stray \r\n or \n?
| Quote: | and for plain text do I just need to set word wrap and do:
$mail_instance->Body = $message;?
|
it's just a string, yes. Setting a wordwrap would seem to be up to you. |
| |
| Page 1 of 2 .:. Goto page 1, 2 Next | |
|
|
