About the Author

Hi, I'm Chris, a web developer and a founding member of Analog. I live and work in Brooklyn, NY.

Ask Chris Is Back

Sun, 26 Feb 2006 at 20:30:06 GMT
5 Comments
References

It's been a few months since Episode One, but thanks to Marcus, Ask Chris is back on the air. The format is a bit different - instead of doing separate shows, we'll be doing a short segment at the end of each interview.

This interview is with David Sklar of Ning. He and Marcus discuss Ning, of course, but David also provides some good perspective on the state of technology and how the definition of a programmer is becoming more and more inclusive.

This episode of Ask Chris is about email injection, a topic of growing concern for PHP developers. We recorded this immediately after I had returned from a trip, so hopefully I don't sound too weary. If you have any questions you'd like to have answered or topics you want me to discuss with Marcus, please leave a comment here or contact him directly.

Thanks for listening!

About This Post

Ask Chris Is Back was posted on Sun, 26 Feb 2006 at 20:30:06 GMT.

5 Comments

1. Dean Wood said:

You didn't specifically mention it in the broadcast but isn't the Subject parameter of mail() a target for header injection as well as the fourth parameter?
Mon, 27 Feb 2006 at 08:08:21 GMT Link

2. Chris Shiflett said:

Hi Dean,

No, that shouldn't be possible. The first two arguments to mail() correspond directly to the To and Subject headers, respectively. To my knowledge, there is no way to inject any additional headers using these arguments - all you can do is modify the headers. The To header is only problematic because an attacker can pass a list of addresses.

If you try it yourself, you should find that even with carriage returns and newlines, the only thing you can modify with the second argument is the Subject header - nothing else.

That being said, I personally don't rely on this and check everything I receive from an outside source.
Mon, 27 Feb 2006 at 14:19:04 GMT Link

3. Luke Welling said:

I have an Ask Chris topic. Is shared hosting security an oxymoron?
Tue, 28 Feb 2006 at 01:25:40 GMT Link

4. James Benson said:

Very Interesting, when is your next show?
Thu, 29 Jun 2006 at 23:18:51 GMT Link

5. Erich said:

Hi Chris,

your comment is 2 years ago (27 Feb 2006) and in the meantime it seems possible to inject headers through the "subject"-parameter by using a bug in PHP.

see:

http://www.php-security.org/MOPB/MOPB-34-2007.html

Wed, 19 Mar 2008 at 15:31:11 GMT Link

liukang wrote:: I have problem with this example. In my php.ini magic_quotes_gpc is off so i'm using only addsla...; Posted in addslashes() Versus mysql_real_escape_string()
RyanTheGreat wrote:: Well, I'm not Chris, but I will do my best to address the questions raised in the comments by Ian...; Posted in Security Corner: Cross-Site Request Forgeries
Chris Shiflett wrote:: Thanks for the kind words, Simon. I'm glad you liked the tutorial. In case it's helpful, here'...; Posted in Webstock
Chris Shiflett wrote:: Hi Robin, I plan to post something about it, but it's going to be hard to express everything i...; Posted in Webstock
Simon Mahony wrote:: Hi Chris, I really enjoyed your workshop on the Evolution of Security at Webstock. I think I g...; Posted in Webstock