Email Injection

Description

This script is possibly vulnerable to Email injection attacks.

Email injection is a security vulnerability that allows malicious users to send email messages using someone else's server without prior authorization. A malicious spammer could use this tactic to send large numbers of messages anonymously.

ShareShare on FacebookTweet about this on TwitterShare on Google+

Impact
One of the input parameters of the [bold]mail[/bold] function are not properly validated. Therefore, it's possible for a remote attacker to inject custom SMTP headers. For example, an attacker can inject additional email recipients and use the script for sending spam.

Recommendation
You need to restrict CR(0x13) and LF(0x10) from the user input. Check references for more information about fixing this vulnerability.

References
Email Injection
PHP mail() Header Injection Through Subject and To Parameters