Tuesday, July 08, 2008
"Contact US" forms can be abused -- particularly a problem for small business sites
There’s a new kind of spam threat being reported by security people. It has to do with “mail header injection”. An unscrupulous person can insert multiple recipients into the POST variable of a PHP script. There more email contact forms at companies should do extra input validation. This is explained in a February 2006 entry at a website called “jelly and custard” with code examples here.
Think Computer offers a white paper (by Aaron Greenspan) with a humorous title, and a story as to how a “contact us” form can be abused if not properly verified. The prankster prompted a series of “contacts” from around the world in which the browser was bypassed. Part of the paradigm is to bypass browsing because browsers normally don’t allow multiple “commands” in one line. The validation of the URL did not come from the website but from some other outside source. The white paper (Feb. 2006) is here. One interesting fact in Greenspan's narrative is that when he reported it to CERT, the well known watchdog agency at Carnegie Mellon had not yet encountered it.
The motive for such an event might occur at a larger organization where the spammer wants to reach a large number of people (particularly subscribers or customers of a large ISP), but it is probably more work for a small organization to protect its contact forms from this sort of activity.
Another helpful resource for coding around this problem appears on this “ALT PHP FAQ” discussion board .
I'm not sure if java, C#, etc. forms would have the same vulnerability. I would think that Microsoft would have precluded this risk in the new Expression Web, but other visitors may know.