Php Mb Send Mail Header Injection
Description
This detector identifies header injection vulnerabilities in PHP's mb_send_mail function. When user-controlled input is passed to the headers parameter without proper sanitization, attackers can inject malicious email headers to perform email spoofing, add unauthorized recipients, or inject content.
Detection Strategy
• Scans PHP source code for calls to the mb_send_mail function
• Checks if the headers parameter (typically the 4th parameter) contains user-controlled or untrusted input
• Reports a vulnerability when user input can be passed to the headers parameter without proper sanitization
• Focuses on scenarios where external data sources like $_GET, $_POST, $_REQUEST, or other user inputs flow into the headers argument
Vulnerable code example
<?php
// VULNERABLE: Direct superglobal in headers parameter
function send_email() {
mb_send_mail("user@example.com", "Subject", "Body", $_POST['headers']); // Email header injection risk
}
// VULNERABLE: Variable from superglobal used as headers
function send_notification() {...✅ Secure code example
<?php
// SAFE: Validate and sanitize headers to prevent injection
function send_email() {
$headers = filter_var($_POST['headers'], FILTER_SANITIZE_STRING);
$headers = str_replace(["\r", "\n"], '', $headers); // Remove CRLF injection vectors
mb_send_mail("user@example.com", "Subject", "Body", $headers);
}
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.