php logo
, ,

Keep your paws off of my mail()!

Here I have a prime example of a situation in which, although my application may function just fine on its own, for security reasons, it needs some extra support.

/* Note: this example taken directly from 
* in Feb, 2006  (AKA - the SecurePHP Wiki)
* Update: Nov, 2007 - the URL has changed
* Refer to the bottom of this entry for a citation 
* including a proper link to the original source. 

if (!isset($_POST["send"])){

// no post data, so display form
<form method="POST" action="<?=$_SERVER['PHP_SELF'];?>">
From: <input type="text" name="sender">
Subject : <input type="text" name="subject">
Message : 
<textarea name="message" rows="10" cols="60" lines="20"></textarea>
<input type="submit" name="send" value="Send">
else {
<!-- /wp:preformatted -->

<!-- wp:preformatted -->
<pre class="wp-block-preformatted"><span class="red">  // found post data .. deal with it
<!-- /wp:preformatted -->

<!-- wp:preformatted -->
<pre class="wp-block-preformatted"><span class="red">  // send mail :
</span><span class="red">  if (mail($to,$_POST['subject'],$_POST['message'],"From: $from")){
    // display confirmation message if mail sent successfully
    echo "Your mail was indeed sent to $to.";
  else {
    // sending failed, display error message
    echo "Doh! Your mail could not be sent.";

Why does the ‘contact form’ above need support in order to be secure?
It is essential to protect the hosting server from anonymous mail() usage by random users who find a way to send their own mail by hijacking our mail(), which should technically only send that mail to me (or the designated recipient) but nevertheless may be vulnerable and subject to manipulation if accessible to a knowledgeable, ambitious mail-hijacker.

For example take a look at PHPSecure’s example in which the mail() function above is easily manipulated– simply by injecting an additional header to insert a Cc: recipient field (thereby allowing for numerous CC’d recipents, as shown again in PHPSecure’s code (paraphrased):

How does our malicious visitor inject the extra email headers needed in order to hijack the PHP mail() function?

[the Hijacker’s goal is to create, from the existing mail() function, his ability] to send anonymous emails to other recipients. There are numerous additional fields that can be specified in the mail headers (see [RFC 822]). For example ‘Cc’ (Carbon Copy), which sends a copy of the message to the email addresses given as arguments. A better choice is to use the ‘Bcc’ (Blind Carbon Copy) which sends a carbon copy of the message just like with the ‘Cc’ header, except that the recipients’ email addresses given as arguments are not shown to the multiple recipients’ headers. As specified in the [RFC 822], one must add a line feed for every header. The <LF> (line feed) char has a hexadecimal value of 0x0A.

Thus by providing the following values to the example script (shown above) of this article :

entered into the sender field of the form:


Commonly Exploited PHP mail() Vulnerabilities:

inject previously absent mail headers: the Cc: and/or Bcc: Fields. Using the Line-Feed Control Character, the Cc: and/or Bcc: fields can effectively be inserted, according to the mail() syntax specs, by simply creating the New Lines in the code being sent to the mail server. adding more address Use Line-Feed (%0a or %0A or \a or \A or etc.) Use of Line-feed results in injection of mail headers, not intended or specified by the author.

The following web site was heavily referenced when writing this article:
Web Site: phpSecure; Article Name: Email Injection;
Original URL is no longer available. It has most likely been moved to the following location:

Kohler, Damon. “E-mail Injection”, SecurePHP (a.k.a. the Secure PHP Wiki), Rev. 2007-06-25. Available at: Accessed: 2007-11-19

Whatchu do

Leave a Reply

Your email address will not be published. Required fields are marked *