perl: December 2006 Archives

MIME Injection Attacks

By Robbie Bow on December 28, 2006 12:40 AM | | Comments (0) | TrackBacks (0)
Ever since the dawn of Matt's formmail.cgi, there has been people wanting to use your CGIs to send emails to people you didn't intend them to. MIME Injection attacks continue this tradition. They work by sending MIME headers in one of the form fields and following these by two new line characters. Providing the form field input is used by your script in the email headers (e.g. an email address supplied by the form used as the from: value) then this can result in your MTA thinking it has all the headers and everything after the two new lines is the body of the email.

An easy and effective way to make sure your script are safe from this sort of attack is to check the form data for MIME headers. I use a simple regex to do this and check any the form field that will be used in the email header with something like this in my scripts:
    my $regexp = '(bcc|cc|content-type|to|from)\s*:';
    foreach (qw(last_name first_name email)) {
        if ($input->{$_} =~ /$regexp/is) {
            warn Dumper($input);
            die;        
        }    
    }
Why would anyone put "to:" or "bcc:" or "content-type:" in a name or email address field on a web form? I can think of no legitimate reason, so I just log the form submission for bedtime reading and crash out. If I'm running under FastCGI, I don't die, I just return the thank you page and do nothing else seeing as killing off a script under FastCGI is a costly exercise in terms of resources to start it back up again.
« perl: October 2006 | Main Index | Archives | perl: May 2007 »

About this Archive

This page is a archive of entries in the perl category from December 2006.

perl: October 2006 is the previous archive.

perl: May 2007 is the next archive.

Find recent content on the main index or look in the archives to find all content.

perl: December 2006: Monthly Archives

Powered by Movable Type 4.21-en

Search