What is Email Header Injection?
What is Email Header Injection?
What is Email Header Injection?It is also known as SMTP header injection.
SMTP Definition:
Simple Mail Transfer Protocol (SMTP) is a plain text Internet standard for electronic mail (email) transmission. First defined by RFC 821 in 1982, it was last updated in 2008 with Extended SMTP additions by RFC 5321, which is the protocol in widespread use today
SMTP header injection / Email Header Injection
SMTP header injection vulnerabilities arise when user input is placed into email headers without adequate sanitization, allowing an attacker to inject additional headers with arbitrary values
Most time websites to implement contact forms which in-turn sends emails to an intended recipient of the message by a legitimate user. Most time such a contact form would set SMTP headers such as from and Reply-to to make it easy for the recipient to treat communication from the contact form just like they would any other email.
Unfortunately, unless the user’s input is validated before being inserted into SMTP headers, the contact form might be vulnerable to Email Header. The most common form of SMTP header injection is adding a To:, CC:, or BCC: header to send the email to an unintended recipient
.
This behavior can be exploited to send copies of emails to third parties, deliver phishing attacks, attach viruses, and often alter the content of emails. It is typically exploited by spammers looking to leverage the vulnerable company's reputation to add legitimacy to their emails
.
Examples:
The following PHP code is an example of Email Header Injection. The following code takes the name and email address provided by a website visitor and prepares a list of headers for the email.
From header is used so that the email’s recipient (in this example it’s root@localhost) will know whom the email’s author is. The Reply-To header allows the email’s recipient to reply back to the person who sent the email via the reply button in their email client.
In above example, an attacker is inserting a newline (\n on most UNIX and Linux systems, \r\n on Windows systems) and appending a bcc SMTP header containing additional email addresses to whom the SMTP server will deliver the email to in BCC.
An attacker could use such tactics to send large numbers of messages anonymously, or even send phishing emails where the recipient believes these messages are originating from a trusted source. It’s also worth noting that this vulnerability is not limited to PHP; it can potentially affect any application that sends email messages based on arbitrary user input.
Mitigation
Validate that user input conforms to a whitelist of safe characters before placing it into email headers
Militating against email header injection involves validating user input to not allow any newline characters in the input which would cause another SMTP header to be appended.
Validate that user input conforms to a whitelist of safe characters before placing it into email headers. In particular, input containing newlines and carriage returns should be rejected
Use strong input validation is through a whitelist of allowed characters for use in the SMTP headers.
Avoid this security hole in your PHP scripts. Otherwise, your script might be inadvertently abused to send spam to others without your knowing.
Alternatively, consider switching to an email library that automatically prevents such attacks.
(Note: This information is only use for educational purpose.)
Sagar Gaikwad
Sagargaikwad4385@gmail.com
Ethical Hacker | Web Application Security Testing |CEH v9 | CCNA |WAPT | VAPT | Network security
Twitter : @Sgrdhara Instagram:@sgrdhara
LinkedIn: https://www.linkedin.com/in/sagar-gaikwad-32047696/
*This blog never post any illegal hacking activity or article.
No comments