Email Form Header Injection

[SF23103]

I created a script that takes info in the url (script.php?id=123), compares that number (123) to a database and gets more information about that person (name, etc.).  The number also corresponds to their email address (123@domain.com).

 

The information is passed to an email script which is a contact form.  The contact form only sends the email to 123@domain.com and cannot be changed by the user.  The user can enter their name, email, a subject, and the message.  The name and subject are converted into email headers and sent to 123@domain.com (from: the user submiited info).

 

My question is that although the user cannot change the to: address, can they still input code into the name, email, and subject fields to inject additional to: addresses?

 

If so, any suggestions on exsting code that could elimiate this threat?

 

Thanks!

[monkeypaw201]

I don't know if I see where the problem lies.

 

The email address is retrieved from the database and then written into a variable. That variable is then used in the mail() function (or something equivalent). If the user cannot modify that variable they can't send it to multiple emails correct?

 

If they try to append multiple numbers in the URL the database won't return a match (eg. it will match "123" but not "123,456").

 

So as long as the number going in is clean (mysql escape?) it should be fine.

 

Did I miss something?

[cyberRobot]

As monkeypaw201 suggested, you'll want to sanitize the GET variable (id) before running the query. Since you're dealing with a number, you can make sure it's a number using ctype_digit():

http://php.net/manual/en/function.ctype-digit.php

 

If you don't sanitize the information, there's a potential for someone to tamper with your database.

Edited March 20, 2013 by cyberRobot

[SF23103]

Thanks for the replies.  I thought I was ok.. but I wanted to make sure I wasn't missing anything since I'm allowing the user to enter their (from) address and subject which go into the header.

 

I did write a section that verifies that the variable (id) is an integer.  If it is not, it spits out an error and does not perform the rest of the code.

[cyberRobot]

I just re-read your post and it sounds like you actually have a two-step process. The first process uses the ID number to grab the user's information from the database...which is likely to be fine. In the next step, however, they fill out a form to supply information to be included in the e-mail.

 

What does the following mean?

 

The contact form only sends the email to 123@domain.com and cannot be changed by the user.

 

Is the e-mail address stored in a hidden field, disabled field, or something else? It might be helpful to see the code for the form. Note that any information being passed through a form (even the disabled/hidden ones) can be modified.

 

Also, it sounds like the form allows visitors to type in an address in the form...and it sounds like this address is being used in the headers argument. Are you using PHP's mail() function. If so, the "additional_headers" argument allows addresses to be added as Cc and Bcc. So the potential for someone to use the form for spam might be there.