MX injection is an injection technique that is similar to other injection techniques like SQL injection, XPath injection, SSI injection and many more. An application that has a mail server that is not accessible directly to the internet is vulnerable to this attack. If the attacker gets access to the port number at which the mail server is running, he can access the mail server directly. This injection attack can be exploited on applications that communicate with a mail server. A vulnerable server will allow injection of IMAP or SMTP commands to the mail servers through webmail application. The MX injection is possible due to improper validation of user-supplied data. For an application to be vulnerable to MX injection, there are many factors like the type, scope of injection and mail server technology and many more.
The following example shows a step by step method to attack an application vulnerable to MX injection.
http://example.beaglesecurity.com/src/read_body.php?mailbox=&passed_id=46106&startMessage=1 #send null value
http://example.beaglesecurity.com/src/read_body.php?mailbox=NOTEXIST&passed_id=46106&startMessage=1 #substitute it with random value
http://example.beaglesecurity.com/src/read_body.php?mailbox=INBOX PARAMETER2&passed_id=46106&startMessage=1 #Add values to other parameters
http://example.beaglesecurity.com/src/read_body.php?mailbox=INBOX"&passed_id=46106&startMessage=1 #Add non-standard special characters
http://example.beaglesecurity.com/src/read_body.php?passed_id=46106&startMessage=1 #Eliminate the parameter
This vulnerability can have the following impacts:-
Beagle recommends the following fixes:-