Contact Form Hijacking – How to secure your PHP contact forms from header injection

When coding contact forms in PHP, most people don’t realize that unless they’ve taken the necessary measures, it will probably be vulnerable to header injections. This basically means that the attacker can put his own To and From into the email headers using the textarea or inputs in the contact form. Why do people do this? For sending email spam. I found an article on anders.com, it explains this very well. As quoted from http://anders.com/projects/sysadmin/formPostHijacking/:

Spammers are constantly being blacklisted and kicked off of networks. Because of this, tricking a non-spamming website into sending spam has become a high priority. One way for spammers to find vulnerable webservers is to test for CGI applications that would allow the spammer to enslave the webserver. Once a vulnerable webserver is found, the spammer can mask the true source of his spam while the enslaved webserver does the bulk of the work.

The article also gives a technical explanation as to how headers can be injected and why it even works in the first place. Look for “I want a more technical explanation with an example!“.

The simplest way to protect contact forms against hijacking / header injection would be to strip \r and \n from all inputs that are placed within the mail function. You can use regex for that:

1
2
3
4
$_POST['name'] = preg_replace("/\r|\n/", "", $_POST['name']);
$_POST['email'] = preg_replace("/\r|\n/", "", $_POST['email']);
$_POST['message'] = preg_replace("/\r|\n/", "", $_POST['message']);
//And then you can safely use the above variables in the mail() function.
If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.