Description:
Attackers inject newlines (\r\n) into form fields (e.g., email, name, subject) to add malicious SMTP headers.
Example vulnerable code:
$to = "admin@example.com";
$subject = $_POST['subject'];
$headers = "From: " . $_POST['email'];
mail($to, $subject, "Message", $headers);
Exploit payload in email field:
attacker@fake.com\r\nBcc: spamlist@example.com\r\nCc: victims@example.com
Result:
Email is sent to many recipients, turning the form into an open spam relay.
Ensure that your PHP application properly validates and sanitizes user input, including email addresses and message content. Use whitelisting techniques to only allow expected input formats. php email form validation - v3.1 exploit
| Vulnerability | Secure Practice |
|---------------|------------------|
| Header injection | Use filter_var($email, FILTER_VALIDATE_EMAIL), reject newlines |
| Parameter injection | Do not use the 5th parameter of mail() with user input |
| XSS | htmlspecialchars() on output |
| Spam relay | Implement CAPTCHA (hCaptcha/reCAPTCHA) + rate limiting |
| Missing validation | Validate all fields: name, message, subject, email |
Secure example:
$email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);
if (!$email || preg_match('/[\r\n]/', $_POST['subject']))
die('Invalid input');
$headers = "From: $email";
mail($to, $subject, $message, $headers);
When the v3.1 exploit succeeds, attackers achieve: