Email Header Injection Web Vulnerability

Detect Email Header Injection Vulnerabilities with Acunetix WVS v9What is Email Header Injection?

Email Header Injection is a web security vulnerability exploited by spammers to send email anonymously. It occurs in web applications that do not properly sanitize user input when preparing and sending email messages. Email Header Injection vulnerabilities are commonly found in websites implementing a "Contact Us" form which legitimate users use to send emails to the website owner.

Web Forms a Common Target of Email Header Injection Attacks

A website can provide a web form similar to the one below.

 

Contact Us forms are a typical target spammers use to detect and exploit Email Header Injection vulnerabilities.

Contact Us forms like this are used by spammers to exploit Email Header Injection vulnerabilities.

 

On this form, a user can enter his name, email address and the message he wants to send.  When processing this form the web application may not sanitize these fields properly whilst preparing the email for the website owner.

A vulnerable implementation (in PHP) can look like this:

<?php
if(isset($_POST['name']))
{
   $message = $_POST['message'];
   $name = $_POST['name'];
   $replyto = $_POST['replyTo'];

   $to = 'root@localhost';
   %subject = 'My Subject';

   #headers start here
   $headers = "From: $name \r\n" .
              "Reply-To: $replyto";

   mail($to, $subject, $message, $headers);
}
?>

This piece of code will take the name and email address provided by the user, and prepares a list of headers for the email.  It generates two headers: From:  and Reply-To:.

The From: header is used so the website owner will know from whom this email comes from. The Reply-To: header is generated for when the owner wants to respond back. When he clicks Reply, the value of this header is used as the destination email address.

How an Email Header Injection Vulnerability is Exploited by a Spammer

A hacker looking to exploit an Email Header Injection Vulnerability can inject additional MIME headers.  Normally, this email is sent only the website owner. But if the hacker enters

root<b>\n</b>bcc:spam@address.com

in the From field, another header will be passed to the mail function. A new, bcc:  field is generated  and the email will also be sent to the hacker’s address spam@address.com.

A malicious spammer could use this tactic to send large numbers of messages anonymously where the recipient believes these messages are originating from a trusted source.  This vulnerability is not limited to PHP; it can potentially affect any application that sends email messages based on input from arbitrary users.

How Acunetix WVS Detects Email Header Injection Vulnerabilities

Acunetix WVS version 9 with the AcuMonitor service can detect this type of vulnerabilities. When scanning this sample vulnerable application, the scanner injects a bcc: header and causes the email to be sent also to the AcuMonitor domain.

AcuMonitor is monitoring these emails and when it receives an email sent to this special address it will issue an email alert informing about the vulnerability.

The alert contains details about the email received to help the developer identify the vulnerable web application.

AcuMonitor Alert Details for Email Header Injection Vulnerability

The alert also contains a Request Id. This Request Id can be used to load the original HTTP request that caused the Email Header to be injected. The user can go into Application Settings->AcuMonitor and use the Lookup Request button to load the original HTTP request.

Acunetix WVS version 9 with the AcuMonitor service is currently the only scanner capable of detecting such vulnerabilities.

Leave a Reply


*