E-Mail-Injection
E -mail injection refers to the exploitation of a vulnerability in a Web application that allows an attacker to send over an unprotected contact without the knowledge and consent of the operator e-mails. The main interest of the attacker is sending spam. The term was derived from the vulnerability SQL injection.
Operation
The vulnerability is that the data entered in a contact form will be forwarded without further examination to the mail server. The attacker benefits from the fact that the header (email ) information are line by line at the beginning of the e -mail and do some programming languages for Web application itself no examination of the data when sending an e-mail. The process of e- mail injection is one-line entries, such as the subject of the request to fill with several lines of information. It further recipients can for example be set, under certain circumstances, even if the programmer of the Web application has a recipient address predefined as " CC" or " BCC ".
Dissemination
By 2004, the gap was known, but was used only sporadically. Since 2005, the messages that Search bots accumulate - similar to a search engine - on a large scale check forms on websites with the brute-force method to a vulnerability regarding this vulnerability. It is expected that the information collected here will be used in the near future to send SPAM to a greater extent.
Example
The following code shows the data of such an HTTP request to a contact form an application written in PHP web application.
$ _REQUEST = Array { [" name_absender "] = > string (215 ) " of Content-Type: text / plain; charset = \ "us -ascii \ " MIME-Version: 1.0 Content-Transfer -Encoding: 7bit Subject: nton to incoln. e d be bucked off befure bcc: [email protected] ec36ff5aa45502446284c4f3ce2b3896. " } Where $ _REQUEST for the array that contains all the variables that were given to the HTTP request. Which in this case, only the variable " name_absender ". This is a string of 215 characters, which extends over nine lines. Build the Web application the name of the sender in the header of an e- mail to the e -mail is sent inadvertently reveals to the address provided at the provider AOL. These are not yet to the sending of spam itself, but to the test, whether the contact in question is vulnerable to the security issue. The line with the 32 characters will probably be a hash value with which the attacker has encoded the URL of unprotected contact form in order to identify them later.
Defensive measures
In internet forums will discuss appropriate defensive measures. Supposedly protective measures such as systematic locked out of a particular Search bots on the e -mail address used by him, the checking said referrer in the processing of entries or the exclusive accepting inputs via HTTP POST from the contact form, can easily be circumvented be.
An effective measure is to Prevent line breaks in variables that will later be inserted into the header of the email. Whether or not a multi-line string is truncated to the first line or the processing of the program is interrupted in the determination of line breaks, is up to the programmer.