[sclug] Php mail

Simon Huggins huggie at earth.li
Tue Nov 29 09:07:52 UTC 2005

On Mon, Nov 28, 2005 at 05:23:23PM +0000, Bob Franklin wrote:
> On Mon, 28 Nov 2005, Peter Brewer wrote:
> >550-Verification failed for <www-data at reading.ac.uk> 550-Unrouteable 
> >address 550 Sender verify failed (in reply to RCPT TO command))
> You need to set the sender address to be something valid -- either
> your personal email address or something else (e.g. if you have a
> project account, you could use that).  Then the system will let it
> through.

Be careful when you do this if you're considering allowing user input
anywhere near this.

php's mail function goes:
bool mail ( string to, string subject, string message
	[, string additional_headers [, string additional_parameters]] )

which is all fine until you want a From: header.  That means you need to
do something like:
mail('huggie at earth.li', 'Some subject', 'Oh look a lovely message',
	'From: Foobar <huggie at earth.li>');
Again this is all fine until someone comes along and goes "aha, I could
put the recipient's email address in the From: header and save myself
some work" and you get something ill thought out like:
$from = $_POST['from'];
mail('huggie at earth.li', 'Some subject', 'Oh look a lovely message',
	"From: $from");

Where from could contain all manner of headers to subvert the script
into spamming.  We've seen this being exploited by spammers recently.

See also: http://securephp.damonkohler.com/index.php/Email_Injection

So just a friendly hint to everyone to verify user input.


[ '<blitz> mais g la productivit? d'une endive :)' #parinux           ]
        Black Cat Networks.  http://www.blackcatnetworks.co.uk/

More information about the Sclug mailing list