|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67494 PHP Bug allows anyone to send fake email even SMPT protection is used.
Submitted: 2014-06-22 04:21 UTC Modified: 2014-06-23 11:52 UTC
Avg. Score:3.0 ± 2.0
Reproduced:0 of 1 (0.0%)
From: ashesh1708 at gmail dot com Assigned:
Status: Not a bug Package: *Mail Related
PHP Version: 5.6.0RC1 OS: ALL
Private report: No CVE-ID: None
 [2014-06-22 04:21 UTC] ashesh1708 at gmail dot com
I have found a bug in Latest version of PHP that makes me send spoofed emails ,using a simple code I can bypass the SMPT protection used by many companies to prevent spoofed email sending, Like Facebook, Google, Yahoo etc. This bug is applicable to ALL websites including Facebook, Google etc.
Here's the code to exploit:


$to = "";
$subject = "Subject_here";
$txt = "Message here";
// This works because I included a space between @ and domain
$headers = "From: Username@"; 

$to = "";
$subject = "Subject_here";
$txt = "Message here";
// As SMPT Protection is not used , no need to include space.
$headers = "From:"; 
Why it can't be fixed by any website?
There is no way this could be fixed by individual websites even with Facebook, As They can add SMPT protection for but thy can never own [space], So they can never add an SMPT protection for [SPACE]
If I send a mail from OR from attacker@ they both are considered same by email providers.
Using this I can send Spoofed email to victim telling to change his/her password. Then I use the appropriate PHP codes I mentioned above. It appears to be same when received.

1) Phishing
2) Change Password
3)Make Fake Transition
4) Click on Virus link
5) Removes the trust of user on the website

Scenario 1:

Jim meets jack physically and decides an deal. An attacker somehow know this, He want the deal to be cancelled. he sends a spoofed mail from to telling that deal is cancelled for some reason.

Scenario 2:

One day jim opens his email and sees an email from regarding changing password. He doubts that is owned by Yahoo! Company or not? Then he opens in his web browser which redirects him to ORIGINAL Yahoo! , It confirms that is owned by Yahoo!

(Big companies own all domains eg. http:/, http:/, http:/ all is owned by google same is the case with Yahoo!) 
He clicks that change password link, clicking on the link takes him to a website where certain JavaScript is executed which steals his yahoo id and password (SESSION). The results can be more dangerous.
Proof OF Concept

Two images are attached. Each of one shows use of the codes , I mentioned above.

Image 1 :
Image 2 :

I have made a website ( to send the spoofed mail combining the two codes. (Please don't send more than 5 mails per minute and wait 5 minutes for mail to arrive)

The source code of my website is :

a) index.php

<h3>If using SMPT Protection use (username@[SPACE] in "From" field eg. (world123@</h3>
<form action="submit.php" method="post">
 To: <input type="text" name="to"><br> 
 From: <input type="text" name="from"><br>
 Subject: <input type="text" name="subject"><br>
 Message: <textarea name="message"></textarea><br>
  <input type="submit">

b) submit.php

$to = $_POST["to"];
$subject = $_POST["subject"];
$txt = $_POST["message"];
$headers = "From: ".$_POST["from"];     
echo "SENT";
echo "<br>";
echo "TO: ".$_POST["to"];
echo "<br>";
echo "From: ".$_POST[
echo "<br>";
echo "Subject: ".$_POST["subject"];
echo "<br>";
echo "Content: ".$_POST["message"];
echo "<br>";
echo "Fail";

I made a Proof of Concept video about how this can be exploited in Yahoo! mail (


PHP should not allow mail to be sent if there is a space after "@"

Additional Notes

It is easy to detect an spoofed mail. But only 2% of people over that WORLD knows it!
Its necessary to Fix this to prevent misunderstanding and attacks.
Here's how to add SMPT Protection to your Domain (Even i can bypass it)

Test script:
--------------- (Please don't send more than 5 mails per minute)


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2014-06-22 05:58 UTC] phpmpan at mpan dot pl
Either I've misunderstood something about the bug or it's NaB.

For this to work, a website must give the attacker unrestricted access to the headers argument or in other way allow the attacker to set the "From" header. If it does then it's a serious bug in the website itself. PHP has nothing to do with it.

Could you provide an example of exploitable code? The current one is only showing that one can set "From" field. Such operation is not only quite obvious, but even required by the documentation. The already provided code also allows any website user to set this field, but it does only because you have explicitly allowed it. So either my brain is not working properly or there is no bug showed in the code.
 [2014-06-23 11:52 UTC]
-Status: Open +Status: Not a bug
 [2014-06-23 11:52 UTC]
Sending an email with the "From: Username@" via php will produce the expected output:
"From: Username@"
Not sure how this is a php specific problem, or a problem at all.

Not sure what do you mean by SMPT(btw that is SMTP, not SMPT) protection, based on your links I'm assuming you are referring to SPF(,
many smtp servers doesn't even allows you to spoof the From header (you can set the header, but the mail for your account will be used anyways), but assuming that this gets through I'm still not convinced that this "trick" would work against even the dumbest spf implementation.
And assuming it does, it still not a php issue but an MTA problem.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Jul 17 20:01:29 2024 UTC