This function has the following parameters:

mail($recipient, $subject, $message, $headers);

Note the $headers part. Headers are meta information about the message that contains the sender, subject, date sent, CC, BCC, the recipient name and other stuff that the mail deamons (and anti-spam software) puts and uses to track the email path from sender to recipient.

You may have noticed that I’ve put the word vulnerability between quotes. Yes, this is NOT a PHP function vulnerability but it becomes one when misused.

The fact is that as this function doesn’t have a $from parameter, people passes this information via the $header parameter as the following example.

$headers = "From: {$_POST['name']} <{$_POST['email']}>"; // "From: SomeUser <jon@doe.com>"

This is our fail-point: PHP Magic Quotes “protected” people from most XSS input attacks since it escapes quotes and stuff but as headers are separated by newlines (\n), the header can be easily spoofed by inputting:

Buy Viagra <xx@xx.com>\nBcc: email1, email2, email3″

Note that I’ve added a BCC entry and now the email is going to be sent to the email address specified under $recipient parameter at the mail function AND to my BCC entries.

“Congratulations, your e-mail form (and server) is being used now to send my spam”
(Just a quote, Heavyworks’ ethics code would never let me SPAM!)

Solution
Do not forward inputs directly to the header parameter or use a email class like Codeworx’s PHPMailer.

NOTE: Learn more about e-mail headers at Wikipedia

There is a Brazillian portuguese version of this vulnerability at Bruno’s Blog

Related posts:

1. Alternative syntax for PHP control structures
2. Smartly resolving your WordPress pages and posts JavaScript and CSS dependences