1

I use CheckMarx platform to test security of my site( to test contact form), but unfortunatelly it tells me about Header Injection Risks, I've already applyed some checkup for this but it still tells me about the risk

In what exactly can be the probem ? I hope you understand the question, thanks a lot for recommendations !

There's my php code:

/* Preventing header injection */
function cleaninjections($test) {
// Remove injected headers
    $find = array("/bcc\:/i",
        "/Content\-Type\:/i",
        "/Mime\-Version\:/i",
        "/cc\:/i",
        "/from\:/i",
        "/to\:/i",
        "/Content\-Transfer\-Encoding\:/i");
    $ret = preg_replace($find, "", $test);
    return $ret;
}

// Specify which fields to require from form
$required_fields = array('name','email','phone', 'additional_info', 'company_type');

$errors = array();
$message = "";

foreach($_POST as $key => $value){
    $_POST[$key] = trim($value);
    $_POST[$key] = cleaninjections($value);
}

// Check required fields and return error if blank
foreach($required_fields as $value){
    if(!isset($_POST[$value]) || empty($_POST[$value])){
        $errors[] = "אנא מלא את כל השדות"; // message about empty fields  "אנא מלא את כל השדות"
    }
}

// Validate name field. Accepts a-z, space, period for Dr., and ' for O'Malley
if(isset($_POST['name']) && !empty($_POST['name'])){
    if(!preg_match("/^[a-z '.]+$/i",stripslashes($_POST['name']))){
        $errors[] = "שם לא חוקי"; // message about invalid name 'שם לא חוקי'
    }
}

// Validate email field
if(isset($_POST['email']) && !empty($_POST['email'])){
    if(!preg_match("/^[a-z0-9_.-]+@[a-z0-9.-]+.[a-z]{2,6}$/i",stripslashes($_POST['email']))){
        $errors[] = "כתובת דואר אלקטרוני אינה תקינה"; /* 'כתובת דואר אלקטרוני אינה תקינה' */ /* message about incorrect email */
    }
}

// Display any errors and exit if errors exist.
if (count($errors)) {
    $errors = array_unique($errors);
    foreach ($errors as $value) {
        print "<li> $value</li>";
    }
    exit;
}
/* Preventing header injection */

Also an example of errors message (one of them) in CheckMarx order:

pay attention to the text mesage"Method rd party can influence this value..."- may be it'll help

Also you can check all PHP code: 

<?php

/* Preventing header injection */
function cleaninjections($test) {
// Remove injected headers
    $find = array("/bcc\:/i",
        "/Content\-Type\:/i",
        "/Mime\-Version\:/i",
        "/cc\:/i",
        "/from\:/i",
        "/to\:/i",
        "/Content\-Transfer\-Encoding\:/i");
    $ret = preg_replace($find, "", $test);
    return $ret;
}

// Specify which fields to require from form
$required_fields = array('name','email','phone', 'additional_info', 'company_type');

$errors = array();
$message = "";

foreach($_POST as $key => $value){
    $_POST[$key] = trim($value);
    $_POST[$key] = cleaninjections($value);
}

// Check required fields and return error if blank
foreach($required_fields as $value){
    if(!isset($_POST[$value]) || empty($_POST[$value])){
        $errors[] = "אנא מלא את כל השדות"; // message about empty fields  "אנא מלא את כל השדות"
    }
}

// Validate name field. Accepts a-z, space, period for Dr., and ' for O'Malley
if(isset($_POST['name']) && !empty($_POST['name'])){
    if(!preg_match("/^[a-z '.]+$/i",stripslashes($_POST['name']))){
        $errors[] = "שם לא חוקי"; // message about invalid name 'שם לא חוקי'
    }
}

// Validate email field
if(isset($_POST['email']) && !empty($_POST['email'])){
    if(!preg_match("/^[a-z0-9_.-]+@[a-z0-9.-]+.[a-z]{2,6}$/i",stripslashes($_POST['email']))){
        $errors[] = "כתובת דואר אלקטרוני אינה תקינה"; /* 'כתובת דואר אלקטרוני אינה תקינה' */ /* message about incorrect email */
    }
}

// Display any errors and exit if errors exist.
if (count($errors)) {
    $errors = array_unique($errors);
    foreach ($errors as $value) {
        print "<li> $value</li>";
    }
    exit;
}
/* Preventing header injection */

// MailChimp API credentials
$apiKey = '17837943924******dbccb48e99-us18';
$listID = 'c0*****c9fa';

// MailChimp API URL
$memberID = hash('sha256', strtolower($_POST['email']));
$dataCenter = substr($apiKey,strpos($apiKey,'-')+1);
$url = 'https://' . $dataCenter . '.api.mailchimp.com/3.0/lists/' . $listID . '/members/' . $memberID;

// member information
$json = json_encode([
    'email_address' => $_POST['email'],
    'status'        => 'subscribed',
    'merge_fields'  => [
        'FNAME'     => $_POST['name'],
        'PHONE_NUMB'=> $_POST['phone'],
        'ADD_INFO'  => $_POST['additional_info'],
        'C_TYPE'    => $_POST['company_type'],
    ]
]);

// send a HTTP POST request with curl
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_USERPWD, 'user:' . $apiKey);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PUT');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_POSTFIELDS, $json);
$result = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch); ?>
Taras Chernata
  • 371
  • 8
  • 17

1 Answers1

1

The problem is that your function cleaninjections is just swipping some headers. So for Checkmarx, as there is a lot of headers, it consider it as a HTTP injection header possibility

SPoint
  • 582
  • 2
  • 10