I have a php script running on my web site that accepts user-supplied input to send via an email. I am sanitizing the input data by stripping tags and slashes. However, I am not using this input to enter data in a database, or do an include, or an exec, or an eval, or anything like that. If I'm not doing one of these risky things, is it possible for a malicious user to inject executable php code through the GET, POST, or COOKIES arrays? I'm almost positive that the answer is "no", but I figured it was worth a shot at asking more experienced people. :)
6 Answers
Well sir, may i introduce you Email Injection
How to prevent: http://phpsense.com/php/php-mail.html Note: If you use the user supplied data just in the body of the email, then you should be safe from it. But my recommendation is NEVER trust user input data.
3 Comments
Cyclone
That is injecting headers, but they can't execute php code on your servers through it.
amosrivera
if someone expliots a form for spam, then your server is blacklisted, then emails coming from that server will be marked as spam.. then you have trouble. Vulnerabilities are everywhere.
Ben
Wow - you guys are on the ball. I already had 6 answers after only 10 minutes. :) Thank you so much for the link to "email injection." I had never heard of it before; I'll check it out.
If you're not using any of the input in an SQL statement, not writing it to a file, not using an eval or an exec, or including it, no, it's not possible to inject executable php code.
Comments
Without seeing the source, no one can tell for sure, but probably. Code execution usually happens when you use eval. Also check if you use include or require on paths from strings which could be modified by users.
Oh and there is Header Injection which will probably affect you http://www.securephpwiki.com/index.php/Email_Injection
1 Comment
frostymarvelous
Exactly that. If all you are doing is sending the input directly, you have nothing to worry about. 1.Injection can occur only when you are entering data into the database. So you should be okay. The email provider deals with emails as they deem fit. Unless you do not want to send html or do additional processing such as bad word filtering, it is unnecessary to filter or strip the input. 2. file traversal only when you are attempting to include files using user input 3. XSS when you echo data to the user However make sure the email is provided by you. Or else deal with it appropriately
the only thing that i can think of is having register_globals turned on, this will be a high risk.
for example if you had the following url with register globals on: http://mysite/page/php?_SESSION=0 it would cause PHP to overwrite the session globals:
var_dump($_SESSION); // = 0
Otherwise its just email injection you would have to look out for, a great link supplied by @amosrivera
Comments
You already taking care of many things. But I just want to share my experience regarding Code Injection. Few months ago, I found some strange lines of code in the index.php file of my website. At that time I just removed those lines, but they came back again after a week or so. Then, after a lot of research I found that it was because of some mal-ware in my computer that hacked my FTP ID/Pwd from my FTP application. It was changing the code in index.php. After that when I reinstalled the OS in my computer and the issue was solved. So this might be one possibility of code injection.
Comments
It's really best not to think of this problem in terms of conditions that produce risks and rather perform preventative measures regardless of context.
Generally speaking however, user submitted data that is not saved to any place on the server and then utilized in the web application itself is garbage collected at the end of the request (in your example, the information is emailed and then GCed). But injection on the whole is a very large issue and it's best not to think of it in broad strokes. Sure, the user may not be able inject PHP, but even simple unsecured textareas that post comments into a web app can open you up to client-side XSS. Better to get into the practice.
Sanitize wherever possible as a general rule. I should also mention HTMLPurifier for XSS filtering should you at some point need it. Since your form is being used to send mail, you should also place a CAPTCHA on the input to prevent automated sending. May I also suggest PHPMailer for your mail commands?
