Hello, on 03/11/2006 09:39 AM Merlin said the following: > I am running php 4.x on a suse 9.x machine. There is a php script which > resides > on a webapp that is responsible for sending e-mail to myself in case of > errors like db-errors or similar. Called error.php > This script does include phpmailer and uses it to send the e-mails to me. > Now I am receiving on the e-mail specified as TO: e-mails with different > subject > than specified and different text?! All english text with wired > sentences, must be a bot or so. How is this possible? The subject line > is fixed and right after that commend send is executed. So no idea how > they do it and how I can prevent it. It looks like this: > $mail->Subject = 'Fehlerbericht'; > $mail->Send(); > How is it possible that they change this subject line? I checked the > server log and each time an e-mail has been sent to me of that kind > there is a logentry in apache log that says that this script has been > executed. So the e-mails definatelly come from that script?!
If you are setting message headers with untrusted values that may contain line breaks, that is your problem. Line breaks make mail systems interpret the next line as a new header. That header may be used to inject new recipients for instance using Bcc: . You can have line breaks in header but you need to escape them properly so they are interpreted as continuation lines rather than new headers. You may want to take a look at this class that can encode header values to make line breaks be interpreted as continuation lines, so they cannot be abused by spammers: http://www.phpclasses.org/mimemessage -- Regards, Manuel Lemos Metastorage - Data object relational mapping layer generator http://www.metastorage.net/ PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
