View Full Version : testing for email injection?

09-27-2005, 04:30 PM
Can anyone tell me how to test a tell-a-friend form for email injection (spamming)?


09-27-2005, 04:35 PM
In the following thread a nice filter is shown:
If things aren't clear after reading that thread, you know were to ask further questions :)

09-27-2005, 04:42 PM

I read that thread before. I have a tell a friend form and I want to know what values to put in the fields to see if it is vulnerable. I tried some values like "CC:email@domain.com" in some of the input fields to see if i would get a copy of the email to that address(^), but I didnt. So i just want to know if there are any other values I can use to see if my script is vulnerable(which i am sure it is).

Thankss again.

09-27-2005, 05:22 PM
Aha, now I understand.
Well, you could hardcode some different variables in the script and see what happens:
For example:

$var = 'sender@anonymous.www%0ACc:recipient@someothersite.xxx%0ABcc:somebloke@grrrr.xxx,someotherbloke@oooo ps.xxx';

$var = 'email@anonymous.xxx%0ATo:email1@who.xxx';

For a lot of examples see http://securephp.damonkohler.com/index.php/Email_Injection

There was someone who wrote a script with which to test your forms. I'll try to find that one. The script changed your current forms from singleline to multilines, so you could try to inject multiline text and see what happens.
It's here: http://www.twologs.com/en/services/test/formtest.asp