Email Injection attacks

joep · January 22, 2007, 6:06pm

I’ve heard that it’s possible to halt email injection attacks by using
validate_request, but does anyone have an example of how to actually do
this? Thanks

joep · January 22, 2007, 7:29pm

Joe P. wrote:

I’ve heard that it’s possible to halt email injection attacks by using
validate_request, but does anyone have an example of how to actually do
this? Thanks

I’ve done this in PHP, but is there a good way to do this in RoR?

joep · January 23, 2007, 3:40pm

Anyone?

joep · January 24, 2007, 3:17pm

Surely someone must know something about this.

joep · January 24, 2007, 3:51pm

please don’t bump your message just because you didn’t get a reply.
if someone was interested or had an answer, i’m sure they would have
answered by now.

that being said, i assume by validate_request you mean the plugin.
after looking at the readme/usage it appears to only support:

validating type of request
validating a parameter as either an integer or string
validating a string parameter against a specific string
validating a parameter against a model

in other words, i don’t see how you could stop email injection based
on that functionality.

now, that’s not to say you couldn’t do those checks in your code
yourself, where necessary. no plugin is necessary.

check if request is a post/get
check form fields against email injection (ie, match header fields
against one or more regular expressions)

point is, you’re going to have to do the same thing regardless of the
language.

now, most of the email injection info i’ve seen has to do with how the
php mail() function constructs the mail message itself. ActionMailer
may not be prone to this type of attack if it functions differently.
Not it say it is or is not, because I don’t know.

Chris

joep · January 24, 2007, 5:36pm

I wonder if it is enough to scan the message body for
To:, Bc:, Cc: and there was something else (Content-something)
and replace them?

– Long
http://MeandmyCity.com/ - Free, searchable business directory for local
communities
http://edgesoft.ca/blog/read/2 - No-Cookie Session Support plugin for
Rails

----- Original Message -----
From: “Joe P.” [email protected]
To: [email protected]
Sent: Wednesday, January 24, 2007 9:17 AM
Subject: [Rails] Re: Email Injection attacks

joep · January 24, 2007, 5:59pm

not just the message body. you’d have to scan the headers (to, from,
subject) for anything that should’nt be there or not in the correct
format.

see

http://www.securephpwiki.com/index.php/Email_Injection

for a list of example scenarios.

joep · January 24, 2007, 7:22pm

I agree. Each form field should be scanned.

– Long

joep · January 24, 2007, 7:42pm

Wow, thanks for all the information everyone. Weird how this gets no
replies for two days, then gets a bunch all in one day. Thanks again.