Email Header Injection
Description
Email Header Injection is a vulnerability that occurs when an application accepts user input and incorporates it into email headers without proper validation. This allows attackers to inject malicious SMTP commands by inserting carriage return (CR) and line feed (LF) characters. Invicti has confirmed this vulnerability by successfully injecting email headers that caused your application to send a test email to Invicti's out-of-band (OOB) testing service.
Remediation
To remediate this vulnerability, implement strict input validation and sanitization for all user-supplied data used in email functions:
1. Validate and sanitize email headers: Remove or reject any input containing carriage return (CR, \r, 0x0D) and line feed (LF, \n, 0x0A) characters from email addresses, subject lines, and any other data used in email headers.
2. Use safe email libraries: Utilize well-maintained email libraries that automatically handle header injection protection rather than using raw mail functions.
3. Example sanitization (PHP):
// Remove CR and LF characters from user input
function sanitizeEmailHeader($input) {
$sanitized = str_replace(array("\r", "\n", "%0a", "%0d"), '', $input);
return trim($sanitized);
}
$to = sanitizeEmailHeader($_POST['email']);
$subject = sanitizeEmailHeader($_POST['subject']);
// Validate email format
if (!filter_var($to, FILTER_VALIDATE_EMAIL)) {
die('Invalid email address');
}
mail($to, $subject, $message);
4. Implement allowlisting: Where possible, use allowlists to validate input against expected patterns rather than relying solely on blocklists.
5. Consider using modern alternatives: For PHP applications, consider using libraries like PHPMailer or SwiftMailer which provide built-in protection against header injection attacks.