0

Been stuck on this for a few days. I'm trying to reproduce an example of mail header injection I found (http://www.phpsecure.info/v2/article/MailHeadersInject.en.php). A post on the matter already exists (email header injection - example not working) but it didn't have any solution. I got a basic contact form using the POST method with three fields (From, Subject and Message) which are then used to send a mail. I need the user to be able to enter Unicode/Hexa characters in the fields.

For example if the user enters address%40gmail%2ecom I want the output in the SMTP payload to be From: address@gmail.com

If I hardcode $from = "address%40gmail%2ecom" the output is the wanted one.

However if I use the user input in the 'from' field of the form ie $from = $_POST['from'] the output I get when I check the debug log of my SMTP client is From: address%40gmail%2ecom. Am I doing something wrong with the encoding or is there some protection activated I have to get rid of ?

If that's relevant I'm using WAMPserver and PHP 7.1.

My code :

<html>
    <head>
        <meta http-equiv="content-type" content="text/html" />
        <title>Vulnerable contact page</title>
        <link rel="stylesheet" href="email.css"/>
    </head>

    <body>
        <form method="POST" action="">
            <fieldset>
                <legend>Send us a mail</legend>

                <label for="sender">From : </label>
                <input type="text" name="from" id="sender">
                </br>
                <label for="subject">Subject : </label>
                <input type="text" name="subject" id="subject">
                </br>
                <label for="message">Your message : </label>
                <input type="text" name="message" id="message">
            </fieldset>
            <p>
                <input type="submit" value="Send"/>
                <input type="reset" value="Cancel"/>
            </p>
        </form>

        <?php
        if(isset($_POST['from'])) {
            $to = "*********@gmail.com";
            $from = $_POST['from'];
            $subject = $_POST['subject'];
            $message = $_POST['message'];
            $headers = "From: $from\n";

            mail($to, $subject, $message, $headers);
        }

         ?>
    </body>
</html>
Matthieu L.
  • 9
  • 2
  • Where did you read that HTML forms were using PHP syntax? – Olivier Mar 09 '20 at 18:45
  • Indeed that's a good point. However I may have been unclear about the core of my problem (that is using the user input containing Unicode characters as a parameter to send a mail and not displaying it). Editing my post. – Matthieu L. Mar 09 '20 at 19:21
  • Duplicate: [PHP convert string to hex and hex to string](https://stackoverflow.com/questions/14674834/php-convert-string-to-hex-and-hex-to-string) – Martin Mar 09 '20 at 19:41
  • Not really understanding your question. When you hardcode it it is `address%40gmail%2ecom` but when submitted by form it is `address%40gmail%2ecom` (the same string)? What is the problem then? – ArSeN Mar 09 '20 at 20:38
  • When I hardcode the result isn't `address%40gmail%2ecom` it is `address@gmail.com` (the expected and correct result) – Matthieu L. Mar 09 '20 at 21:08
  • Note: your form is vulnerable. Users can add additional headers in `from` (just with a new line character), and so spamming the world. (`headers` is by definition multiline). Please do no create new mail forms (or use secure libraries). The worst you can get to clients is a message system where nobody read mails because it is 99.9% spam (and it happened long ago on large companies, as you see, your system is much as years 199x) – Giacomo Catenazzi Mar 10 '20 at 07:24
  • Thanks for the reply but you could have at least read the post... Creating a vulnerable form is precisely my goal... – Matthieu L. Mar 10 '20 at 15:04

0 Answers0