Is there any danger using unsanitised post data in a mail command with PHP?

Question

I've found myself working on another developer's code. By his own admission he's just a beginner so I want to give solid advice.

I came across this:

<?php

$headerFields = array(
        "From: ".$_POST[...],
        "MIME-Version: 1.0",
        "Content-Type: text/html;charset=utf-8"
    );

    mail("submissions@[...].com","Submission to [...] from " . $_POST[...] . "","New submission to [...]

    Name*: " . $_POST[...] . " [...big-snip...]",
    implode("\r\n", $headerFields)
    );

(edited heavily, obviously)

I tend to not use mail() very often but my instinct is to sanitise everything with extreme prejudice. Is there any specific danger is leaving this as is or could someone of sufficient skill do some damage?

This question is probably better suited for: http://codereview.stackexchange.com/ — Sam, Dec 22 '15 at 03:01
I take your point. Although the core question is really just: can bad stuff inject into mail(); If you feel strongly, though, I am not adverse to deleting and reposting. — Matthew Brown aka Lord Matt, Dec 22 '15 at 03:07
Yes, that is open to an XSS injection and there are many articles out there about it. — Funk Forty Niner, Dec 22 '15 at 03:10
First pre-assign your variable(s) `$var = htmlentities($_POST['var'], ENT_QUOTES, 'UTF-8');` while using `htmlentities()` and look into HTMLpurifier http://htmlpurifier.org/ and read https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet — Funk Forty Niner, Dec 22 '15 at 03:19
possible duplicate of http://stackoverflow.com/questions/1996122/how-to-prevent-xss-with-html-php — Funk Forty Niner, Dec 22 '15 at 03:21
That's a good question but it does not really get to the specifics of what I am asking. — Matthew Brown aka Lord Matt, Dec 22 '15 at 03:26
Then ask the guys below and accept one of the answers. If it doesn't "answer" the question, then wait for more and/or let them know. — Funk Forty Niner, Dec 22 '15 at 03:27

Ceeee · Accepted Answer · 2015-12-22T03:31:31.683

Yes you are correct that every input from users need to be sanitized and validated.

Golden rule: "Never trust your user"

One issue is that a non technical user might put anything in the name. for example they input email instead of name, we don't know what kind and type of user we can encounter. some user will input dots or even spaces even if there's a label that only alphanumeric is acceptable. This can cause data integrity issues. based on my experience(learned from hard way), i encountered a user that put N/A in a field he/she don't know instead of leaving it blank and it caused a trouble. so validation is a MUST.

Another issue is that, html is allowed in emails. a user that has programming background can put a link in that and the receiver might click it and may lead to a malicious website. Also what if i put there(replacing the $_POST). It will ruin your header fields and might cause problem.:

$headerFields = array(
    "From: ". "\r\n FROM: DERP\r\n TO: IWANTTODESTROYTHEWORLD\r\n WOW: ASDASD\r\n MIME-Version: wow",
    "MIME-Version: 1.0",
    "Content-Type: text/html;charset=utf-8"
);

Above example is not so dangerous, will/might yield only errors but some user might have that extra capabilities to inject malicious codes so clean it up and having a proper validation is a must

Lambic · Answer 2 · 2015-12-22T03:30:52.210

1

Someone of sufficient skill could inject some malicious code in the posted fields and have it executed. Ie: modified headers.

http://securephpwiki.com/index.php/Email_Injection

Concerning pure PHP injection, my quick search couldn't find an example with mail(), but it doesn't mean it is impossible.

edited Dec 22 '15 at 03:30

answered Dec 22 '15 at 03:10

Lambic

145
6

Ok, so you said it's possible. You'll need to back that up with some information about it. So far, this is fit more as a comment. – Funk Forty Niner Dec 22 '15 at 03:11
I cannot comment. Edited my answer. – Lambic Dec 22 '15 at 03:32

Is there any danger using unsanitised post data in a mail command with PHP?

2 Answers2