first of all this question is for personal knowledge, and not for any kind of attack :) hope you'll believe me and give me some hints.
I'm trying to reproduce an example of mail header injection I found (link-> http://www.phpsecure.info/v2/article/MailHeadersInject.en.php). Basically it uses a form to get 3 parameters (subject, message and sender mail), then these parameters are sent with POST method and used in the php mail() function to an admin's mail.
Everything works fine, each mail is sent without problem but when I try to inject some other parameters as Cc, Bcc etc the trick doesn't work: neither \r & \n nor %0A & %0D are interpreted as CL and RF. For example, if I put my@mail.com%0ACc:foo@bar.com in the "From" field, in "my@mail.com" inbox I'll find the mail, with the same "From" field as it was sent (my@mail.com%0ACc:foo@bar.com). Does php or does input tag encode (or unencode) properly the input? How can I make it work?
Hope you can understand my bad english, thanks in advance, best regards.
ps: the article I linked is dated 2005, recently I've found that a similar bug with http headers splitting using php function "header()" was fixed, so I thought that they fixed email headers injection problem too.. But I can't find anything on the web that confirms this.
______________________EDIT________________________________________
Example working, modifying header within php code:
$to = "admin@mail.com";
$sub = "this is the subject";
$msg = "this is the message";
$header = "From: foo@foo.com"."\r\n"."Cc: bar@bar.com";
$if(mail($to, $sub, $msg, $header."\n")){
echo "sent";
}else{
echo "error";
}
The email is correctly received both from foo@foo.com and bar@bar.com
Examples NOT working (this is the problem I'd like to solve with your help):
Once I send the mail with "send" button, only foo@foo.com will get the e-mail, and in the "from" detail (inside the mail) I'll find (1st case) foo@foo.comrnCc: bar@bar.com or (2nd case)foo@foo.com%0D%0ACc: bar@bar.com.
