About the Author

Chris Shiflett is an author and speaker who leads the web application security practice at OmniTI.

Ask Chris Is Back

Sun, 26 Feb 2006 at 20:30:06 GMT
5 Comments
References

It's been a few months since Episode One, but thanks to Marcus, Ask Chris is back on the air. The format is a bit different - instead of doing separate shows, we'll be doing a short segment at the end of each interview.

This interview is with David Sklar of Ning. He and Marcus discuss Ning, of course, but David also provides some good perspective on the state of technology and how the definition of a programmer is becoming more and more inclusive.

This episode of Ask Chris is about email injection, a topic of growing concern for PHP developers. We recorded this immediately after I had returned from a trip, so hopefully I don't sound too weary. If you have any questions you'd like to have answered or topics you want me to discuss with Marcus, please leave a comment here or contact him directly.

Thanks for listening!

About This Post

Ask Chris Is Back was posted on Sun, 26 Feb 2006 at 20:30:06 GMT.

5 Comments

1. Dean Wood said:

You didn't specifically mention it in the broadcast but isn't the Subject parameter of mail() a target for header injection as well as the fourth parameter?
Mon, 27 Feb 2006 at 08:08:21 GMT Link

2. Chris Shiflett said:

Hi Dean,

No, that shouldn't be possible. The first two arguments to mail() correspond directly to the To and Subject headers, respectively. To my knowledge, there is no way to inject any additional headers using these arguments - all you can do is modify the headers. The To header is only problematic because an attacker can pass a list of addresses.

If you try it yourself, you should find that even with carriage returns and newlines, the only thing you can modify with the second argument is the Subject header - nothing else.

That being said, I personally don't rely on this and check everything I receive from an outside source.
Mon, 27 Feb 2006 at 14:19:04 GMT Link

3. Luke Welling said:

I have an Ask Chris topic. Is shared hosting security an oxymoron?
Tue, 28 Feb 2006 at 01:25:40 GMT Link

4. James Benson said:

Very Interesting, when is your next show?
Thu, 29 Jun 2006 at 23:18:51 GMT Link

5. Erich said:

Hi Chris,

your comment is 2 years ago (27 Feb 2006) and in the meantime it seems possible to inject headers through the "subject"-parameter by using a bug in PHP.

see:

http://www.php-security.org/MOPB/MOPB-34-2007.html

Wed, 19 Mar 2008 at 15:31:11 GMT Link

Zac wrote:: Awesome code! Thanks!; Posted in Convert Smart Quotes with PHP
Muttley wrote:: Thanks for this, Shiffers. I've been working on a similar thing, using a similar method, so it's ...; Posted in Allowing HTML and Preventing XSS
hossein wrote:: Hi! May you give me an example how to use mcrypt_encrypt() in order to save passwrod in databa...; Posted in OpenID with myVidoop
Chris Shiflett wrote:: Hi John, I agree with you. I think the optimal solution for this site is for me to let people ...; Posted in OpenID with myVidoop
John Layman wrote:: I had one more thought after I attempted to post a comment. If a user decides to change which Ope...; Posted in OpenID with myVidoop