Email injection
E-mail injection describes the exploitation of a security gap in a web application that allows an attacker to send e-mails via an unprotected contact form without the knowledge and consent of the operator . The main interest of the attacker is sending spam . The term was derived from the security gap SQL injection .
functionality
The security gap is that the data entered in a contact form is passed on to the mail server without further checking . The attacker benefits from the fact that the header information is line by line at the beginning of the e-mail and some programming languages for web applications do not themselves check the data when an e-mail is sent. The process of injecting e-mail is to fill one-line entries, such as the subject of the request, with multi-line information. For example, additional recipients can be set, possibly also as “ CC ” or “ BCC ”, even if the programmer of the web application has specified a fixed recipient address.
distribution
The loophole was known until 2004, but was only occasionally exploited. Since 2005 there have been increasing reports that search bots - similar to those of a search engine - check large amounts of forms on websites using the brute force method for vulnerability to this security gap. It is to be expected that the information collected in this way will be used to send spam on a larger scale in the near future.
example
The following code shows the data of such an HTTP request to a contact form of a web application written in PHP .
$_REQUEST = Array {
["name_absender"]=> string(215) "of
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: nton an incoln. e d be bucked off befure
bcc: charleslegbe@aol.com
ec36ff5aa45502446284c4f3ce2b3896
.
"
}
This stands $_REQUESTfor the array that contains all the variables that were given to the HTTP request. In this case, this is only the “name_sender” tag. This is a string of 215 characters that extends over nine lines. If the web application includes the name of the sender in the header of an email, the email is unintentionally sent to the specified address at the AOL provider . This is not yet about sending spam itself, but about testing whether the contact form in question is susceptible to the security gap. The line with the 32 characters is likely to be a hash value that the attacker used to encode the URL of the unprotected contact form in order to identify it later.
Defense measures
Suitable countermeasures are discussed in internet forums. Supposedly protective measures, such as the targeted locking out of a certain search bot based on the email address it uses, checking the referrer when processing the entries or only accepting entries via HTTP POST from the contact form, can easily be bypassed become.
An effective measure is to prevent line breaks in variables that are later to be inserted in the header of the email. It is up to the programmer whether a multi-line string is shortened to the first line or the processing of the program is interrupted when line breaks are detected.