Is there any injection vulnerability in the body of an email?

后端未结

关注

 4  1818

长情又很酷

AFAIK there is only a vulnerability within the HEADERS of an email when using user data correct?

I am using the below function to sanitize my data, however I have so

相关标签:

4条回答

我寻月下人不归

2020-12-31 06:16
There's a possible injection in the body text if you're speaking native SMTP to the mail server.

A single . on its own terminates the current body in SMTP, so in theory you could have user supplied input like this:
```
some body text
.
MAIL FROM: <...>
RCPT TO: <...>
DATA
Subject: here's some spam

here's a new body
```
and the SMTP server might allow the second message through.

Some SMTP servers can be configured to prevent this by not allowing SMTP commands to be pipelined (i.e. requiring the client to read the response before permitting the next command).
0 讨论(0)
发布评论:

提交评论
- 加载中...
南方客

2020-12-31 06:20

If the email's an HTML mail, and particularly if the receiver's going to be viewing it in a web-based email (Hotmail, Gmail, Yahoo, etc...) or an email client that supports HTML views, then injection into the body is definitely a concern - XSS can happen anywhere.

0 讨论(0)
发布评论:

提交评论
- 加载中...
再見小時候

2020-12-31 06:21
Something that might also happen is dynamic MIME change. When we send mail we usually define Content-type in our script, example:
```
Content-type: text/html;charset=UTF-8
```
The catch is - "Content-Type" header can be re-defined as multipart/mixed (or multipart/alternative or multipart/related), even though it was previosly defined.

Example - imagine that someone types this into email body field on your contact page:
```
haxor@attack.com%0AContent-Type:multipart/mixed;%20boundary=frog;%0A--frog%0AContent-Type:text/html%0A%0AMy%20Message.%0A--frog--
```
What this will do - when user receives this message, he'll only see spammer's message ( the one delimited by "--frog"), as per mime multipart/mixed specification. Original "contact" message that developer perhaps hardcoded - will be inside of the email as well, but will not be displayed to the recipient.

This way spammers can send spam from other people's domains. Especially if it's some sort of: "send it to your friend." form.

Also - when filtering mail headers, I use (a bit shorter I guess than what you have there):
```
preg_replace( '/\s+/', "", $text )
```
0 讨论(0)
发布评论:

提交评论
- 加载中...
渐次进展

2020-12-31 06:33

You can also inject MIME boundary into multipart messages, if the boundary is not randomized. That way you can inject arbitrary content (e.g. attachements with malware).

Example (not directly email-related but still): https://bugzilla.mozilla.org/show_bug.cgi?id=600464

0 讨论(0)
发布评论:

提交评论
- 加载中...