email header injection

Tuesday 28 November 2006 12:11:36 pm

I've seen a lot of email header injection attempts on the "tip a friend" forms on multiple ez publish installs I am hosting. Is there any known vulnerabilities with these forms which I should be aware of?

working at www.wardnet.com
blogging at www.jamesward.ca

Wednesday 29 November 2006 11:50:58 am

Hi James

I recently skimmed over some mail classes in EZ and according to my tests the fields for the email addresses of sender and receiver do not pose any problem as the content is validated against a regular expression (which is actually to strict and forbids some valid email addresses as well).

The field for the name of the sender unfortunately seems to be an open door for injection (at least it was on my setup). The same might be true for the name of the receiver, I have not tested this. For now I will just check whether one of these variables contains a linebreak and display an error message if that is the case. I am not sure whether this is sufficient but my mailbox will certainly tell me soon...

Injecting additional message text did not work for me, but I haven't tried to hard. Removing new lines from the name field should hopefully prevent this anyway.

Claudia

Friday 01 December 2006 2:53:40 pm

Hi James

I don't run the sites and was not told of any such problems yet, so I cannot help you there.

Claudia