Form hijacking

November 15, 2005

Does your website contain mail forms that aren’t sanitizing input as aggressively as they should? There seems to have been a recent surge in automated (or semi-automated, it’s hard to tell) probes and exploits of form mail scripts, all revolving around injecting headers into sent mail.

Here’s how it works: Let’s say you have a form that allows the user to enter their email address. The black hat’s exploit script submits a value for that field that includes a newline, followed by whatever email headers they want to insert: Bcc, for example, or even full-blown MIME-encoded parts.

This is especially a problem in PHP because what’s commonly thought of as the “From” parameter to the mail() function is actually an “additional headers” parameter. It accepts a single string containing an arbitrary number of headers separated by newlines – which the spammers are happy to provide.

The defense is very basic input scrubbing (or bulletproof validation of From addresses) that you’d think would already be in place everywhere, but I was surprised to find several forms on my various sites that were vulnerable to this – in some cases forms that had been online for several years with zero abuse.

Rather than cast about for the perfect email address validator, I changed the form processing scripts to strip newlines from user input. That’s enough to prevent hijacking, but not enough to prevent incredible annoyance, since some forms were being probed dozens of times a day, filling up my spambox with garbled mail. So I added a second check that simply rejects any submission if the string “MIME-Version” is in any of the submitted fields. Crude but effective.

Damon Kohler’s “Secure PHP” site has a more detailed explanation of this type of exploit.

web design blog commented :

They like to inject forms and enter tons of characters in attempts to break the page. You can add filters, and even things like mod_security for enhanced protection. However, I am still looking for a way to be able to monitor this kind of thing on the server level.