Bwapp----Mail Header injection (SMTP)

Source: Internet
Author: User
Tags contact form

Mail Header Injection (SMTP)

No local environment, no demonstration, attached reproduced

what is email header injection? posted in May 3, 2017 by Ian Muscat

It is common practice for a Web site to implement a contact form, which in turn sends an email from a legitimate user to the intended recipient of the message. in Most cases, such a contact form sets the SMTP header From Reply-to so that recipients can easily handle communication in the contact form, just like other e-mail messages.

Unfortunately, the contact form may be vulnerable to an attack by e-mail header insertion (also known as SMTP header injection) unless the user's input is validated before the SMTP header is inserted. This is because an attacker could inject an extra header into the message, instructing the SMTP server to perform a different instruction than expected.

The following PHP code is an example of a typical contact form that is susceptible to e-mail header injection attacks. the following code will be provided by the site visitor with the name and e-mail address, and prepare the email header list.

use the from heading so that the recipient of the E-mail message (in this example, root @ localhost ) will know who the e-mail author is. reply headers allow recipients of e-mail messages to reply to the person who sent the e-mail message via the Reply button in their email client.

$name = $_POST[‘name‘];
$replyto = $_POST[‘replyTo‘];
$message = $_POST[‘message‘];

$to = ‘[email protected]‘;
$subject = ‘My Subject‘;

// Set SMTP headers
$headers = "From: $name \n" .
"Reply-To: $replyto";

mail($to, $subject, $message, $headers);

A typical genuine POST request is as follows.

POST /contact.php HTTP/1.1

name=Joe Bloggs&[email protected]&message=Example message

An attacker could abuse this contact form by sending the following POST request.

POST /contact.php HTTP/1.1

name=Attacker\nbcc: [email protected]&[email protected]&message=Attacker message

in this example, the attacker is inserting a newline character ( \nin the \r\non most UNIX and Linux systems on a Windows system ) and attach a password SMTP header that contains an additional e-mail address, the SMTP server sends an e-mail message to the BCC.

An attacker could use such a policy to send a large number of messages anonymously, or even send phishing e-mail, where the recipient considers the messages to originate from a trusted source. It is also worth noting that this vulnerability is not limited to PHP; it may affect any application that sends e-mail based on any user input.

detecting e-mail header injection vulnerabilities

in order to automatically detect e-mail header injection, we need to rely on the mediation service, because the detection of such a vulnerability requires an out-of-band and time-delay vectors. Acunetix during automatic scanning by using the acumonitor As its mediation service To resolve this issue .

during the scan, Acunetix will find the contact form and inject a custom Bcc SMTP header that points to the acumonitor email address. If the problematic application causes the SMTP server to send e-mail to Acumonitor, then Acumonitor knows it is vulnerable and it sends a notification back to Acunetix, indicating that it should increase the e-mail header insertion alert.


reducing e-mail header injection involves validating user input and not allowing any line breaks in the input, which will result in the addition of another SMTP header. in General, the simplest and strongest way to implement strong input validation when validating user input is to use the allowed characters in the whitelist for the SMTP header.

Share this post

Bwapp----Mail Header injection (SMTP)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.