MIME Injection Attacks
Posted by robbiebow on 28 December, 2006 under perl | 
Be the First to Comment
Ever since the dawn of Matt’s formmail.cgi, there has been people wanting to use your CGIs to send emails to people you didn’t intend them to. MIME Injection attacks continue this tradition. They work by sending MIME headers in one of the form fields and following these by two new line characters. Providing the form field input is used by your script in the email headers (e.g. an email address supplied by the form used as the from: value) then this can result in your MTA thinking it has all the headers and everything after the two new lines is the body of the email.
An easy and effective way to make sure your script are safe from this sort of attack is to check the form data for MIME headers. I use a simple regex to do this and check any the form field that will be used in the email header with something like this in my scripts:
my $regexp = '(bcc|cc|content-type|to|from)\s*:';
foreach (qw(last_name first_name email)) {
if ($input->{$_} =~ /$regexp/is) {
warn Dumper($input);
die;
}
}
Why would anyone put "to:" or "bcc:" or "content-type:" in a name or email address field on a web form? I can think of no legitimate reason, so I just log the form submission for bedtime reading and crash out. If I’m running under FastCGI, I don’t die, I just return the thank you page and do nothing else seeing as killing off a script under FastCGI is a costly exercise in terms of resources to start it back up again.