Hello Manuel,
this seems to be the right track. However I do not have linebrakes in there, but
the message gets passed by POST. This is my script error.php:
<?php
###############################################################
# requieres
$hostpath= '../';
require $hostpath . 'global/server.inc';
require $hostpath. 'global/class.phpmailer.php';
###############################################################
###############################################################
# set vars
$from = $_POST[from];
$errormsg = $_POST[errormsg];
$message = $_POST[message];
###############################################################
#####################################################################
# send e-mail
$mail = new phpmailer;
$mail->IsHTML(false);
$mail->From = $mailadress_webmaster;
$mail->FromName = $email_from_name_2;
$mail->AddAddress($mailadress_webmaster);
$mail->AddReplyTo($from);
$mail->Subject = 'Fehlerbericht';
$mail->Body = $message.'
Fehler: '.$errormsg.'
Absender: '.$from;
$mail->Send();
HEADER("Location:/about/index.php?fa=3&msg=4");
#####################################################################
?>
The e-mails I have received contain two subject lines?! Have a look:
Subject: Fehlerbericht
Date: Sat, 11 Mar 2006 01:37:33 +0100
From: My Server <webmaster@>
Reply-To: my email
Content-Type: multipart/alternative; boundary=6cf6796619a040f4ad26b61683f77eac
MIME-Version: 1.0
Subject: little boat undulating near the shore, and
Message-Id: <20060311003733.6666BC027F8@xxxxxxxxxxxx>
This is a multi-part message in MIME format.
--6cf6796619a040f4ad26b61683f77eac
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
from those who stood around the young girl alone stood silent and immovable her
thoughts seemed to be far away. et some people fancied they saw how she
--6cf6796619a040f4ad26b61683f77eac--
.
Message-ID: <6d5cf83331c3317c86b2f7df61b92aa2@*.myserver.com>
X-Priority: 3
X-Mailer: PHPMailer [version 1.72]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="iso-8859-1"
Fehler:
Absender: s
Content-Type: multipart/alternative; boundary=6cf6796619a040f4ad26b61683f77eac
MIME-Version: 1.0
Subject: little boat undulating near the shore, and
bcc: frekiforbes@xxxxxxx
This is a multi-part message in MIME format.
--6cf6796619a040f4ad26b61683f77eac
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
from those who stood around the young girl alone stood silent and immovable her
thoughts seemed to be far away. et some people fancied they saw how she
--6cf6796619a040f4ad26b61683f77eac--
.
Any ideas?
Regards, Merlin
Manuel Lemos schrieb:
Hello,
on 03/11/2006 04:12 PM Rasmus Lerdorf said the following:
I am running php 4.x on a suse 9.x machine. There is a php script which
resides
on a webapp that is responsible for sending e-mail to myself in case of
errors like db-errors or similar. Called error.php
This script does include phpmailer and uses it to send the e-mails to
me.
Now I am receiving on the e-mail specified as TO: e-mails with different
subject
than specified and different text?! All english text with wired
sentences, must be a bot or so. How is this possible? The subject line
is fixed and right after that commend send is executed. So no idea how
they do it and how I can prevent it. It looks like this:
$mail->Subject = 'Fehlerbericht';
$mail->Send();
How is it possible that they change this subject line? I checked the
server log and each time an e-mail has been sent to me of that kind
there is a logentry in apache log that says that this script has been
executed. So the e-mails definatelly come from that script?!
If you are setting message headers with untrusted values that may
contain line breaks, that is your problem. Line breaks make mail systems
interpret the next line as a new header. That header may be used to
inject new recipients for instance using Bcc: .
You can have line breaks in header but you need to escape them properly
so they are interpreted as continuation lines rather than new headers.
That is only true for the additional_headers (4th) argument to the mail
function. That argument is specifically for doing free-form headers, so
as long as you only use the to, subject and message arguments to the
mail function you are safe.
That is what I said, sending headers with untrusted values, so people
have to use the 4th argument to set for instance the From: header. This
From: header is often set to values set in forms to the e-mail address
and name of the person that is trying to contact the site people. That
is usually from where most the PHP mail form abuses come from.
As I said line breaks in the From: or other headers are not invalid.
Actually line breaks should be used to comply with RFC recommendations
and do not exceed the 78/998 line length limit. When these limits are
exceeded, messages may arrive corrupted.
The mail function is a better than nothing solution. It can still be
used but to send RFC compliant messages, often it is necessary to
correctly format message contents. That is why I always recommend this
or other class that takes care of those (many) details:
http://www.phpclasses.org/mimemessage
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
