Email Header Injection

Severity: Medium
Test name: Email Header Injection
Test ID: email_injection
Summary

Some web applications allow users to send email messages via contact forms to defined recipients. In most cases, such contact form scripts set headers. Afterwards, the headers are converted into SMTP commands, which are then processed by the SMTP server.

Email Header Injection allows an attacker to insert additional malicious headers into the email message via unsafe user input. As a result, these headers will be converted into SMTP commands and processed by the SMTP server.

Impact

This vulnerability may lead to:

  • Sending spam emails.
  • Phishing and spoofing attacks. The recipient is made to believe that the email is legitimate. The email usually redirects the victim to a malicious website, which then steals their credentials or infects their computer with malware (via a drive-by-download).
  • Denial of Service if the attacker sends a huge amount of emails, so the SMTP server can be overloaded.
Example of a spam email
  1. Let’s imagine the following code is used on the server side for sending an email message:
<?php
if(!empty($_POST['name'])) {
  $name = $_POST['name'];
  $email = $_POST['email'];
  $message = $_POST['message'];
  $subject = 'Contact form request';
  #: Set headers
  $headers = "From: $name \n" .
  "Reply-To: $email";
  mail('root@localhost', $subject, $message, $headers); 
}
  1. Expected request example:
POST /contact.php HTTP/1.1
Host: www.{your_web_site}.com
Payload:
  name=Test User
  [email protected]
  message=Hello! This is a test message.
  1. An attacker can send the following request:
POST /contact.php HTTP/1.1
Host: www.{your_web_site}.com
Payload:
  name=Best Seller\nbcc: [email protected]
  [email protected]
  message=Buy my awesome product!
  1. As a result, the attacker can send a large number of messages anonymously. The attacker may also send phishing emails, where the recipient believes that these messages are originating from a trusted source (your website).
Location

The issue can be found in the source code on the server side.

Remedy suggestions
  • Sanitize user input with special functions according to your programming language. In particular, input containing newlines and carriage returns should be rejected.
  • Use certain correct types for supplied user input such as string, float or int. If your application expects an email address, it should be validated with Email pattern.
  • Alternatively, consider switching to an email library that automatically prevents such attacks. Use the latest version and upgrade your email library periodically.
Classifications
  • CWE-20
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
References