Search code examples
phpcode-injection

Is there any injection vulnerability in the body of an email?

AFAIK there is only a vulnerability within the HEADERS of an email when using user data correct?

I am using the below function to sanitize my data, however I have some textarea fields on the page & hence these may contain linebreaks.. so was wondering if that user data is only going to be put in the body of the email, can it not bother with being sanitized - apart from stripping html of course?

Here is the function:

function is_injected($str) {

    $injections = array('(\n+)',
    '(\r+)',
    '(\t+)',
    '(%0A+)',
    '(%0D+)',
    '(%08+)',
    '(%09+)'
    );

    $inject = join('|', $injections);
    $inject = "/$inject/i";

    if (preg_match($inject,$str)) {
        return true;
    } else {
        return false;
    }

}

As a side note, surprised there wasn't currently a tag for mail-injection / email-injection.

Solution

  • There's a possible injection in the body text if you're speaking native SMTP to the mail server.

    A single . on its own terminates the current body in SMTP, so in theory you could have user supplied input like this:

    some body text
.
MAIL FROM: <...>
RCPT TO: <...>
DATA
Subject: here's some spam

here's a new body

    and the SMTP server might allow the second message through.

    Some SMTP servers can be configured to prevent this by not allowing SMTP commands to be pipelined (i.e. requiring the client to read the response before permitting the next command).