Usually normal PHP script for sending e-mail for request or feedback form looks like this:
---cut--------------------- <form method="post" action="contact.php"> <p>Your name :<br /><input type="text" name="name" value="" /></p> <p>Mobile number :<br /><input type="text" name="phone" value="" /></p> <p>Mobile model :<br /><input type="text" name="model" value="" /></p> <p>Mobile network :<br /><input type="text" name="network" value="" /></p> <p>E-mail address :<br /><input type="text" name="email" value="" /></p> <p>Your order number :<br /><input type="text" name="order" value="" /></p> <p>When did you call :<br /><input type="text" name="date" value="" /></p> <p>Country :<br /><input type="text" name="country" value="" /></p> <p>Complaint :<br /><input type="text" name="text" value="" /></p> <p><input type="submit" value="Send Info" /></p> </form> ---cut---------------------
the contact.php usually looks like this:
---cut--------------------- <? $s=" Problem Report: Your name : $name Mobile number : $phone Mobile model : $model Mobile network : $network E-mail address : $email Your order number : $order When did you call : $date Country : $country Complaint : $text "; mail("user@domain.kom", "PROBLEM REPORT", $s, "from: $email" ); ?> <p>Thank you for the feedback...</p> ---cut---------------------
In this case, we do not check anyting about the $email.
In such case, the attacker may use e-mail attachments in order to send spam.
Suppose, the hacker use modified form and send something like:
$email fileld : ---cut--------------------- spam@spam.com Content-Type: multipart/mixed; boundary=\"===============0129976066==\" MIME-Version: 1.0 Subject: Modified_email_subject To: additional_recepient@domain1.kom From: spam@spam.com ---cut---------------------
then the hacker do e-mail attachment, and inserting the message in ANY of the other fields:
$order field : ---cut--------------------- xxxxxxxxx --===============0129976066== Content-Type: text/plain; charset=\"us-ascii\" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Spam here, buy something for 1 USD --===============0129976066==-- xxxxxxxxx ---cut---------------------
Final e-mail may look like :
---cut--------------------- Date: Thu, 28 Jul 2005 00:06:15 -0500 Message-Id: <200507280506@domain.kom> To: user@domain.kom Subject: PROBLEM REPORT from: spam@spam.com Content-Type: multipart/mixed; boundary=\"===============0129976066==\" MIME-Version: 1.0 Subject: Modified_email_subject To: additional_recepient@domain1.kom From: spam@spam.com Your name : aaaaaaaaaaaaaaaaaaaaaa Mobile number : aaaaaaaaaaaaaaaaaaaaaa Mobile model : aaaaaaaaaaaaaaaaaaaaaa Mobile network : aaaaaaaaaaaaaaaaaaaaaa E-mail address : aaaaaaaaaaaaaaaaaaaaaa Your order number : xxxxxxxxx --===============0129976066== Content-Type: text/plain; charset=\"us-ascii\" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Spam here, buy something for 1 USD. --===============0129976066==-- xxxxxxxxxx When did you call : aaaaaaaaaaaaaaaaaaaaaa Country : aaaaaaaaaaaaaaaaaaaaaa Complaint : aaaaaaaaaaaaaaaaaaaaaa ---cut---------------------
With yellow color you may see the "included" parts. In red typeface is shown the actual spam mail. If you play with multipart/alternative, you can do the e-mail clients to show only part/attachment you want, and to hide the others.
Please note that I actually did not tried this, but this may be basic idea.
In order to have working "solution" it must have more complicated "inserted" parts.
Solution is same as for famous SQL injection - CHECK EVERYTHING USER ENTER in your code, or REMOVE ALL spaces, enters, new lines in parts you put in e-mail headers :-)
There are one more solution - do not include ANYTHING that is received from the user into e-mail headers. Make the from address default - something like no_reply@domain.kom.