Php Mail Header Injection
Description
Detects potential email header injection vulnerabilities in PHP applications where unvalidated user input reaches the headers parameter of the mail() function. This could allow attackers to inject additional headers or modify existing ones, potentially leading to email spoofing, spam relay, or other email-based attacks.
Detection Strategy
• Identifies calls to PHP mail() function in the source code
• Checks if the headers parameter (4th argument) of mail() contains user-controlled or unvalidated input
• Reports a vulnerability if the headers parameter can be manipulated by external input without proper sanitization
• Triggers when dynamic/variable content is passed to the headers parameter instead of static strings
Vulnerable code example
<?php
function send_vulnerable_email() {
// VULNERABLE: Unsanitized user input from $_POST used directly in mail headers
$headers = $_POST['email_headers'];
mail("admin@example.com", "Newsletter", "Content", $headers);
}✅ Secure code example
<?php
function send_secure_email() {
// Sanitize sender email using filter_var and validate format
$sender = filter_var($_POST['email_headers'], FILTER_SANITIZE_EMAIL);
if (!filter_var($sender, FILTER_VALIDATE_EMAIL)) {
$sender = 'default@example.com'; // Fallback to safe default if invalid
}
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.