If you web application sends emails based on information entered in the form, you should pay attention to the possibility of Email header injection attack.
Email header injection attack is based on flaws in the email protocol. Headers in the MIME message are recognized by SMTP servers by the line feed ([LF]). So typical email message looks like this:

[LF]to: recipient@domain.com
[LF]Subject: recipient@domain.com
[LF]Content type: recipient@domain.com
[LF]Message body

Now if a user can enter recipient email in the form he/she can do something like this:

recipient email: johndoe@serbiancafe.com%0Asubject:this is new even subject.

%0A is actually line feed.
Now, it will depend from SMTP server and email client which subject will it show, some use first one, some the lates one, some append all subjects to email.

Malicious user can change any header of your message this way, to, cc, bcc fields, content-type, even the actual message.

Message body can be changed in the same way, only without the header name. But note that body added like this will be PREPENDED to the email message. So if someone uses your email form to send an email message with new body he/she can enter the follwing in the available form filed (in our case recipient address):

recipient email: johndoe@serbiancafe.com%0Asubject:this is new even subject.%0AThe Spam message body, you didnt want this, but it will come to your inbox

And without knowing it, your ‘email this page to a friend’ form will become the source of spam!

Now how to resolve this issue?
You shpuld check all the fields that are available for user input in your email form for and characters (’\n’ and ‘\r’ in your java code).

You have two approaches available. You can either:
1. reject to send any email that contains any of these characters (recommended)
2. remove the characters and send the email as it is

The java code that does this is very simple:


public static boolean isHeaderInjection(String value) {
if (value == null) return false;
if ((value.indexOf("\n") != -1 || value.indexOf("\r") != -1) || value.indexOf("%0A") != -1) {
return true;
}
return false;
}


Make sure to check all your email form fields, and you should be safe from this kind of attack.

Tags: email header injection, email security, spam

This entry was posted on Thursday, May 8th, 2008 at 8:31 am and is filed under Aleksa's Blog. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.