Email Injection

Email Injection

Published on 2008-03-19. Updated on 2009-04-22.

Description:
This script is possibly vulnerable to Email injection attacks.

Email injection is a security vulnerability that allows malicious users to send email messages using someone else's server without prior authorization. A malicious spammer could use this tactic to send large numbers of messages anonymously.

Impact:
One of the input parameters of the mail function are not properly validated. Therefore, it's possible for a remote attacker to inject custom SMTP headers. For example, an attacker can inject additional email recipients and use the script for sending spam.

Recommendation:
You need to restrict CR(0x13) and LF(0x10) from the user input. Check references for more information about fixing this vulnerability.

Tags: Scripts

Alert Tags: abuse_of_functionality
ApplicableApplicationServer : All
ApplicableOS: All
ApplicableWebServer: All

References:

Email Injection

PHP mail() Header Injection Through Subject and To Parameters

Go Back

• Product Information
• Download
• Product Tour
• Brochure (PDF)
• Pricing
• Testimonials
• Customer references
• Resell Acunetix
• Acunetix in the Press
• List of vulnerability checks

• Learn more
• SQL Injection
• Cross site scripting
• Web Security
• Directory Traversal
• Ajax Application Security
• Google Hacking