Php Unsafe Parameter Tampering
Description
Detects unsafe usage of PHP mail() function where untrusted input could be used to manipulate email parameters or inject mail headers. This can lead to email header injection attacks allowing attackers to modify email recipients, content, or headers, potentially enabling spam relay or phishing attacks.
Detection Strategy
• Identifies calls to PHP mail() function in the code
• Checks if any of the function arguments (to, subject, message, headers) contain unvalidated user input or unsafe data
• Reports vulnerability when mail() is called with parameters that could be manipulated by untrusted sources
• Flags usage where email headers can be injected through unfiltered parameters
Vulnerable code example
// Vulnerable: Unsanitized user input from $_POST used directly in mail headers
$to = $_POST['email']; // User-controlled recipient email
$subject = "Password Reset";
$message = "Reset instructions";
$headers = ["Bcc" => $_POST['bcc']]; // User input in mail headers enables header injection
mail($to, $subject, $message, $headers);✅ Secure code example
// Validate and sanitize recipient email
$to = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);
if ($to === false) {
die("Invalid recipient email address");
}
$subject = "Password Reset";
$message = "Reset instructions";...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.