Hello, on 03/11/2006 04:12 PM Rasmus Lerdorf said the following: >>> I am running php 4.x on a suse 9.x machine. There is a php script which >>> resides >>> on a webapp that is responsible for sending e-mail to myself in case of >>> errors like db-errors or similar. Called error.php >>> This script does include phpmailer and uses it to send the e-mails to >>> me. >>> Now I am receiving on the e-mail specified as TO: e-mails with different >>> subject >>> than specified and different text?! All english text with wired >>> sentences, must be a bot or so. How is this possible? The subject line >>> is fixed and right after that commend send is executed. So no idea how >>> they do it and how I can prevent it. It looks like this: >>> $mail->Subject = 'Fehlerbericht'; >>> $mail->Send(); >>> How is it possible that they change this subject line? I checked the >>> server log and each time an e-mail has been sent to me of that kind >>> there is a logentry in apache log that says that this script has been >>> executed. So the e-mails definatelly come from that script?! >> >> If you are setting message headers with untrusted values that may >> contain line breaks, that is your problem. Line breaks make mail systems >> interpret the next line as a new header. That header may be used to >> inject new recipients for instance using Bcc: . >> >> You can have line breaks in header but you need to escape them properly >> so they are interpreted as continuation lines rather than new headers. > > That is only true for the additional_headers (4th) argument to the mail > function. That argument is specifically for doing free-form headers, so > as long as you only use the to, subject and message arguments to the > mail function you are safe.
That is what I said, sending headers with untrusted values, so people have to use the 4th argument to set for instance the From: header. This From: header is often set to values set in forms to the e-mail address and name of the person that is trying to contact the site people. That is usually from where most the PHP mail form abuses come from. As I said line breaks in the From: or other headers are not invalid. Actually line breaks should be used to comply with RFC recommendations and do not exceed the 78/998 line length limit. When these limits are exceeded, messages may arrive corrupted. The mail function is a better than nothing solution. It can still be used but to send RFC compliant messages, often it is necessary to correctly format message contents. That is why I always recommend this or other class that takes care of those (many) details: http://www.phpclasses.org/mimemessage -- Regards, Manuel Lemos Metastorage - Data object relational mapping layer generator http://www.metastorage.net/ PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
