HTTP header injection
Header injection is a class of security vulnerabilities in Web applications, which occur when the header of a protocol are generated dynamically with the addition of inadequately tested user input.
Header injection in HTTP can result, for example HTTP response splitting and cross-site scripting. In the dynamic creation of e -mails via a web application a header injection attack can be used to enter other recipients in an e -mail and so, for example, to send spam ( e- mail injection).
Example
A website has can create a form with the input fields for subject and message about the visitors require the operator. A server-side script is building from the transmitted data then the e -mail message and sends it to a predefined address. The resultant e- mail message, for example, looks like this:
Subject: Subject From: [email protected] To: [email protected] message If an attacker into the input box on the form for the subject, type carriage return and line feed, and BCC: [email protected], [email protected], ... and the script enters these entries unchecked in the e-mail message takes over:
Subject: Spam BCC: [email protected], [email protected], ... From: [email protected] To: [email protected] spam So the e-mail will also be sent as ... Bcc User1, User2, .
As a spammer, the response from the server is not interested to send the e -mail form, he can hide behind IP spoofing. The administrator of the server will look in its log file that any spam mail was sent from a different IP address. The spammer will remain completely anonymous.
As the webmaster receives a copy of the spam it is this vulnerability as soon as possible but close.
Countermeasures
To prevent header injection user input must be carefully considered, especially on the applicable depending on the context metacharacters.
Thus, in general, the individual header fields by the newline separated CRLF sequence. It is therefore necessary to filter out those in user input or to mask. When HTTP and SMTP, for example, the URL encoding is used for masking, the SMTP additionally the Quoted-printable encoding.
PHP
In the widely used scripting language PHP injection via the header function is automatically prevented since the versions 4.4.2 or 5.1.2. In the mail function on the other hand, however, this has yet to be backed up manually.