Email Header Injection in Invite Feature via Unsanitized POST Parameters

Email Header Injection in Invite Feature via Unsanitized POST Parameters

Thanks @cybershubham06
This commit is contained in:
novgorodschi catalin
2026-07-03 10:18:26 +03:00
parent 5f005e1d56
commit 3c401e46f7
2 changed files with 47 additions and 16 deletions
+30 -14
View File
@@ -55,24 +55,40 @@ class Mailer
* -------------------------------------------------------------------------
* FIX: $username was undefined -> fallback safe value added
*/
function sendInvite($email, $uid, $text)
{
$subject = SERVER_NAME . " registration";
function sendInvite($email, $uid, $text){
$email = trim($email);
$uid = (int)$uid;
$text = trim($text);
// FIX: prevent undefined variable notice
$username = "User";
// Protecție împotriva Email Header Injection
if (
strpos($email, "\r") !== false ||
strpos($email, "\n") !== false ||
!filter_var($email, FILTER_VALIDATE_EMAIL)
) {
return false;
}
$message =
"Hello " . $username . "\n\n" .
"Try the new " . SERVER_NAME . "!\n\n\n" .
"Link: " . SERVER . "anmelden.php?id=ref" . $uid . "\n\n" .
$text . "\n\n\n" .
"Greetings,\n" .
"Travian";
// Curățăm textul
$text = substr($text, 0, 2000);
$text = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/', '', $text);
$headers = "From: " . ADMIN_EMAIL . "\r\n";
$subject = SERVER_NAME . " registration";
@mail($email, $subject, $message, $headers);
$username = "User";
$message =
"Hello " . $username . "\n\n" .
"Try the new " . SERVER_NAME . "!\n\n\n" .
"Link: " . SERVER . "anmelden.php?id=ref" . $uid . "\n\n" .
$text . "\n\n\n" .
"Greetings,\n" .
"Travian";
$headers = "From: " . ADMIN_EMAIL . "\r\n";
return @mail($email, $subject, $message, $headers);
}
/**
+17 -2
View File
@@ -156,8 +156,23 @@ if($id == 15){
if($id > 15){
include ("Templates/Plus/3.tpl");
}
if(isset($_POST['mail'])){
$mailer->sendInvite($_POST['mail'], $session->uid, $_POST['text']);
if (isset($_POST['mail'])) {
$email = trim($_POST['mail']);
$text = isset($_POST['text']) ? trim($_POST['text']) : '';
// Blocăm CRLF injection și validăm adresa
if (
strpos($email, "\r") === false &&
strpos($email, "\n") === false &&
filter_var($email, FILTER_VALIDATE_EMAIL)
) {
// Limităm dimensiunea și eliminăm caracterele de control
$text = substr($text, 0, 2000);
$text = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/', '', $text);
$mailer->sendInvite($email, $session->uid, $text);
}
}
?>