Header injection protection
-
What ‘header injection’ protection does Contact Form 7 include? For instance does it remove ‘bcc:’ and ‘cc:’ from the from, subject, and body fields; does it remove script tags? The concern is that Contact Form 7 can be used by a spammer to send out email, not just to the website admin but also to numerous other email addresses! This is what appears to have happened to a customer’s website.
@mistermousehjm had a similar pertinent question at https://wordpress.org/support/topic/security-in-contact-form-7/ @takayukister if the answers are the same then I think we can assume there isn’t any header injection protection.
-
Form fields collecting data should be sanitized at the earliest opportunity. Steven Stern as WP forum moderator seems to agree in this post. Indeed in the change log dated 19 August 2013 it lists the following fix:
‘Strip newlines to prevent mail header injection’
So maybe there is already some protection, if the code for this fix still exists; My question is what additional protection is needed to sanitize for cc and bcc headers injected into field data, or to sanitize for script tags etc. From recent experience there seems there maybe a vulnerability, at least in the version 1.6.4.
- The topic ‘Header injection protection’ is closed to new replies.
