Haven’t had a good rant on here for a while.
Apparently spammers, not content with spamming-up my comments, have now moved on to abusing my email form (now defunct). What fun! This time they’ve concocted an ingenious wheeze for injecting their own headers into the generated emails, allowing them to add their own ‘Cc:’ and ‘Bcc:’ lines with impunity. That allows them to fire emails off to all and sundry – in addition to me, the unchangable ‘To:’ addressee, of course.
This is all possible thanks to the wonders of injection for the PHP mail() function. It’s simple enough: you shove in some magic characters when filling in the form, and suddenly you can write whatever you want in the email headers. Not good.
Why is this still possible? It’s 2006! The first time I came across a problem like this, it was on a MUD. Yes, that fine piece of 80s technology, friend of university procrastinators everywhere. (The only friend, but we won’t go into that.) You could exploit badly written code to inject your own, wreaking all kinds of havok if you chose your mark carefully.
Sound familiar?
Why is the PHP mail() function so stupid? Why is it left to the PHP programmer to prevent this nastiness? Why is it left to any user of any similar function to consider all these possibilities? It’s not reasonable to expect PHP programmers each to duplicate each others’ effort, all to thwart the same idiotic flaw in a built-in function.
I’m sure it’s a simple oversight on the part of the PHP developers – as are most flaws allowing this kind of injection – but hey, it’s not called a rant for nothing. Bloody PHP, and bloody spammers.
