What is Email Header Injection? Email Header Injection is a web security vulnerability exploited by spammers to send email anonymously. It occurs in web applications that do not properly sanitize user input when preparing and sending email messages. Email Header Injection vulnerabilities are commonly found in websites implementing a “Contact Us” form which legitimate users use to send emails to the website owner. Web Forms a Common Target of Email Header Injection Attacks A website can provide a web form similar to the one below. See Picture1.WEB FORM On this form, a user can enter his name, email address and the message he wants to send. When processing this form the web application may not sanitize these fields properly whilst preparing the email for the website owner. A vulnerable implementation (in PHP) can look like this: This piece of code will take the name and email address provided by the user, and prepares a list of headers for the email. It generates two headers: From: and Reply-To:. The From: header is used so the website owner will know from whom this email comes from. The Reply-To: header is generated for when the owner wants to respond back. When he clicks Reply, the value of this header is used as the destination email address. How an Email Header Injection Vulnerability is Exploited by a Spammer A hacker looking to exploit an Email Header Injection Vulnerability can inject additional MIME headers. Normally, this email is sent only the website owner. But if the hacker enters rootnbcc:spam@address in the From field, another header will be passed to the mail function. A new, bcc: field is generated and the email will also be sent to the hacker’s address spam@address. A malicious spammer could use this tactic to send large numbers of messages anonymously where the recipient believes these messages are originating from a trusted source. This vulnerability is not limited to PHP; it can potentially affect any application that sends email messages based on input from arbitrary users. The alert contains details about the email received to help the developer identify the vulnerable web application. See Picture 2.alert detail The alert also contains a Request Id. This Request Id can be used to load the original HTTP request that caused the Email Header to be injected. The user can go into Application Settings->AcuMonitor and use the Lookup Request button to load the original HTTP request. Post By Sujeet Haxor
Posted on: Fri, 10 Oct 2014 07:42:52 +0000
Trending Topics
Recently Viewed Topics
© 2015