Thursday, 15 September 2011

Email injection



if you have a website and a mail form in the contact section, you've probably already been the victim of an "E-Mail Injection.

What's good?
E-Mail refers to an injection vulnerability that occurs in many sites that allows an attacker to "inject" script that sends the mail headers. The technique is used in a majority of cases by spammers or people who for one reason or another want to send a message 100% anonymous.

How it works
We need to inject mail a vulnerable victim to a form that sends mail function mail () in PHP.
Consider the following scenario:

1. Form:
From something simple with a field (or 'your email') and a text field where you can post messages. You've probably seen this before on many sites.



Code:
<form method="GET" action="mailer.php">

From: <input type="text" name="from" />

Message: <textarea name="message" cols="20" rows="7"> </ textarea>

<input type="submit" value=" Send! "/>

</ Form>



2. Script:
A simple script that takes the data and sends:



Code:
$ From = $ _GET ['from'];

mail ('address where to send', 'subject', $ _GET ['message'], "From: $ from");




3. Specifically:
As you see, send mail function mail to a specific address and the sender is the address you enter in the field 'from'. OK, not really, but it seems at first sight. If the fourth field of the mail function () (corresponding field headers) contains the key word From: "mail client believes that the message coming from the address specified in the field 'from'.
Nothing extraordinary so far, right? So e. .. but in its simplicity, the script can be exploited. As you can see the field 'from' is not filtered. This means they can "inject" that data will be sent in the message header. Think what would happen if the email address after I add the following: Cc% 3A% 20victima@server.com. To clarify a little text, send form via GET, which means that some characters are "coded" to avoid errors. Thus, the character ':' is transformed in '% 3A' and the character '' (space) is transformed into '% 20'. So I put there is equivalent to "Cc: victima@server.com.
If you send your form we will see a field in the address bar of a form similar to: http: / / server.com / mailer.php? From = mail% 40domeniu.com & message = message. That, of course, I sent the GET method. To inject a header will need to manually edit the address in question and make it like this: http: / / server.com / mailer.php? From 40domeniu.com = mail%%% 3A% 0ACc 20victima@domeniu.com & message = message .
What did I do, anyway? I changed the value from the variable and added a new line (0A% is coded ENTER GET method) and added cc% 3A% 20victima@domeniu.com which, as I said above, "Cc: victim @ domain. com. When we call the above address will be sent the same message in two mailboxes. One of the houses will be specified by the author of the script and the second will be the one specified in the line cc. In other words, we have a small script to "retouching" send new mail to a specific address, not just the default. To send the message and not to the default, change the Cc: to To:. In many cases it works and address the default address will be ignored in favor of the line To:.
OK, now we have a form that can be exploited. From here you can make each as imagination goes. It's relatively easy to make a script that will appeal form with different parameters for each address in a list or something.

How can we protect?
Relatively simple. I offer three ideas:
1. Use POST as the reference method rather than GET. POST is a complicated idea, and many are discouraged
2. Use a filter that checks if there are more than one character '@' or whether there are key words "From:" "To:", "Cc" "Bcc:".
3. Use a form with the security code. That is, an image that will show a code to be entered in a field of the form. The advantage of high security code is ... even if someone manages to send an anonymous email will not be able to make a script to make them work for our scripts can not read the code from the image

0 comments:

Post a Comment