...

View Full Version : testing for email injection?



sv85
09-27-2005, 04:30 PM
Can anyone tell me how to test a tell-a-friend form for email injection (spamming)?

Thanks

matthijs
09-27-2005, 04:35 PM
In the following thread a nice filter is shown:
http://www.codingforums.com/showthread.php?t=68919
If things aren't clear after reading that thread, you know were to ask further questions :)

sv85
09-27-2005, 04:42 PM
Thanks.

I read that thread before. I have a tell a friend form and I want to know what values to put in the fields to see if it is vulnerable. I tried some values like "CC:email@domain.com" in some of the input fields to see if i would get a copy of the email to that address(^), but I didnt. So i just want to know if there are any other values I can use to see if my script is vulnerable(which i am sure it is).

Thankss again.

matthijs
09-27-2005, 05:22 PM
Aha, now I understand.
Well, you could hardcode some different variables in the script and see what happens:
For example:

$var = 'sender@anonymous.www%0ACc:recipient@someothersite.xxx%0ABcc:somebloke@grrrr.xxx,someotherbloke@oooo ps.xxx';
or

$var = 'email@anonymous.xxx%0ATo:email1@who.xxx';

For a lot of examples see http://securephp.damonkohler.com/index.php/Email_Injection

There was someone who wrote a script with which to test your forms. I'll try to find that one. The script changed your current forms from singleline to multilines, so you could try to inject multiline text and see what happens.
[edit:]
It's here: http://www.twologs.com/en/services/test/formtest.asp



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum