Email Form Vulnerabilities
mail.php code:
<?php
$to = "andrew@something.com";
$subject = "Email from website";
$message = $_REQUEST["body"];
$email = $_REQUEST["email"];
$headers = "From: $email";
mail($to, $subject, $message, $headers);
echo "Your form will be emailed to Andrew.";
?>
form.html code:
<form action='mail.php' method='post'>
Email: <input type='text' name='email'><br>
Mail body: <textarea name='body'></textarea><br>
<input type='submit' value='Send comments'>
</form>
Here is an example of a stripped down form processor that is meant to email form
contents to my email account. Hard-coding the to address is just not enough to
prevent spam. Notice that the above code uses $_REQUEST which accepts both
$_POST and $_GET. In the case of this example it is best to specify a value for
$_POST. The above example can be defeated by using the following url:
http://somedomainname.com/mail.php?body=spam&email=spam@spammer.com%0Abcc:
victim1@victim.com,victim2@victim.com
Analyzing the html code for the form reveals the variable names which is how the
spammer would know how to use the names body and email. The body would contain
"spam" in our example but in the real world it would probably contain links to
many unscrupulous sites. Now for how this method would work: the email field
also contains the bcc field which can be exploited by a spammer. %0Ab in the
above example is a linefeed.
So now the header for this email looks like:
To: acy3@hood.edu
Subject: Email from website
From: spam@spammer.com
Bcc: victim1@victim.com,victim2@victim.com
To remedy this issue one could implement code that will detect for suspicious
string in any of the submitted values and invalid email address entries. However
one should be aware that many other fields can be exploited such as
content-type:, mime-version:, multipart/mixed, cc as well as bcc. Bcc just
happens to be one of the most common exploited fields.
