Just found this info:
"A newer and lesser known vulnerability is header injection, a cunning exploit whereby a spammer hijacks a website’s contact form and uses it to send bulk unsolicited email"
Are we protected against this?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Not specifically. First your form must allow header injection. If you are not allowing variables to populate any header fields then there is nothing to worry about. If you allow header variables then you need to check to make sure the form's email is only sent to specific addresses and not unintended recipients as it would if the header was injected by some hacker of hacker script.
There is alot to know and I can not cover everything in this post. The best thing to do is identify a specific type of abuse and implement some protection against it.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Just found this info:
"A newer and lesser known vulnerability is header injection, a cunning exploit whereby a spammer hijacks a website’s contact form and uses it to send bulk unsolicited email"
Are we protected against this?
Not specifically. First your form must allow header injection. If you are not allowing variables to populate any header fields then there is nothing to worry about. If you allow header variables then you need to check to make sure the form's email is only sent to specific addresses and not unintended recipients as it would if the header was injected by some hacker of hacker script.
There is alot to know and I can not cover everything in this post. The best thing to do is identify a specific type of abuse and implement some protection against it.