mail() header injection

We are seeing some issues on one of our servers where SPAMMERS are taking advantage of some of the php forms using mail() to send SPAM.

I have been reading about this for days and I am stuck on a few things.

First, I need to know how to re-create the issue before I can test to see if I stopped it.

I have read this article here for example:
http://securephp.damonkohler.com/ind...mail_Injection

which is a great article.

Thing I don't get is this, it shows that the SPAMMER could enter a string like this in the "From:" field of your form:
"sender@anonymous.www%0ACc:recipient@someothersite.xxx%0ABccmail() header injectionomebloke@grrrr.xxx,someotherbloke@oooops.xxx"which would send out his SPAM.

Thing that has me stuck is this, everytime I try to punch this string into a sample "From:" field on a test form, when I print the string to the screen it comes out exactly like that with the "%0A" and all. The "%0A" is suppose to be converted into a "\n" which is needed of for the exploit to work. Problem is that POST data does not get unencoded like GET data on the other end and the PHP mail() just barfs.

If I try to send the same string with plain old "\n" then it ends up looking like this "\\n" on the other side because Magic Quotes is escaping my backslash.

I am confused as to how the SPAMMERS have been able to successfully pass the "\n" which is needed in a POST when I can't do it myself.

I know they are doing it because I have seen the SPAM go through the machine and I know if came from a FORM pretty much identical to my test form.

Any ideas? This is driving me seriously buggy.. mail() header injection SPAMMERS

 

 

 

 

Top