Zapotek
commented
10 years ago This would be more suitable for a plugin as modules are supposed to be automated and do not accept options, and this can't be automated without an intermediary server, which I cannot provide.
Thanks for the suggestion man but I'll have to think about it for a while.
"Email Header Injection is a web security vulnerability exploited by spammers to send email anonymously. It occurs in web applications that do not properly sanitize user input when preparing and sending email messages. Email Header Injection vulnerabilities are commonly found in websites implementing a "Contact Us" form which legitimate users use to send emails to the website owner.
How an Email Header Injection Vulnerability is Exploited by a Spammer
A hacker looking to exploit an Email Header Injection Vulnerability can inject additional MIME headers. Normally, this email is sent only the website owner. But if the hacker enters
root\nbcc:spam@address.com in the From field, another header will be passed to the mail function. A new, bcc: field is generated and the email will also be sent to the hacker’s address spam@address.com.
A malicious spammer could use this tactic to send large numbers of messages anonymously where the recipient believes these messages are originating from a trusted source. This vulnerability is not limited to PHP; it can potentially affect any application that sends email messages based on input from arbitrary users."
This might be tricky to implement since we need to send an email to a certain address and then check if was received, i know you can't implement some free email service API in order to do that but what if you let the user do that work, for example, an option like "enter email address that will be used" and then after scan was done user can check the mailbox manually if attack was successful or not?