45 replies to this topic

[Black Jack 21]

Hi,

i've often read about renaming admin folder for security reasons. Unfortunately, the admin folder name is written in every e-mails send by order.php in the X-PHP-SCRIPT statement.

Is there any idea to remove the X-PHP-SCRIPT line from the e-mail header?


Black Jack 21

[Web Host]

I think it would come from includes/classes/mime.php There is one in the catalog and another mime file in the admin.

[zeppos]

Does anyone have a definite answer for it? Does this X-PHP-Script header originate from the OSC code or the sendmail server itself? Cause I took a look at the mime class files and I didn't find anything relevant...

[Coopco]

I can't see any reference to the admin folder name in any email.

[zeppos]

So this means that the X-PHP-Script header comes from the mail server itself and there's no use in meddling with the OSC source code?

[Black Jack 21]

Exactly. You can try to talk to your host, but i bet they will not change it for you!

[nudylady]

X-PHP-Originating-Script: 10143:email.php

I also got two emails with this in header just now. I did not touch thing. before is OK. What just happened?

[sijo]

Black Jack 21, on 22 August 2008, 09:26, said:

Hi,

i've often read about renaming admin folder for security reasons. Unfortunately, the admin folder name is written in every e-mails send by order.php in the X-PHP-SCRIPT statement.

Is there any idea to remove the X-PHP-SCRIPT line from the e-mail header?


Black Jack 21

Hi..
I think I've found a solution for this, but I (we) need help from someone with php programming skills.
This is what I find in messages now:
X-PHP-Script: emti.no/catalog/admin/mail.php for xx.xxx.xxx.xx

If we move the catalog/admin/mail.php to catalog/mail.php and do the programming needed for this, then you will get this in your message: (Same goes for orders.php)
X-PHP-Script: emti.no/catalog/mail.php for xx.xxx.xxx.xx
I did some small changes just to be able to test this.

Someone willing to do this job for us?

[Ben Nevis]

sijo, on 25 January 2010, 13:26, said:

Hi..
I think I've found a solution for this, but I (we) need help from someone with php programming skills.
This is what I find in messages now:
X-PHP-Script: emti.no/catalog/admin/mail.php for xx.xxx.xxx.xx

If we move the catalog/admin/mail.php to catalog/mail.php and do the programming needed for this, then you will get this in your message: (Same goes for orders.php)
X-PHP-Script: emti.no/catalog/mail.php for xx.xxx.xxx.xx
I did some small changes just to be able to test this.

Someone willing to do this job for us?

I wouldn't do that. You want to open the file that gets exploited in the admin directory to access by one and all in a public directory, in order to hide the name of the admin directory? That's daft.

Security that relies just on hiding things, including the name of the admin directory, isn't real security. The fact that the path to the mailer appears in outgoing emails is a bit irritating, but even if someone who orders from your site receives an admin email and finds out what you are calling your admin directory, assuming you have changed it from the default to help avoid exploits on the files it contains, still if you have properly secured it they will not be able to exploit those files.

[Pipeloops]

Hi,

I know this is an old thread, but I just stumbled across it.

Basically I fully agree that renaming your admin is by no means sufficient, make your site as safe as you can following all the other good advices found on the forum. However, I also was a bit disconcerned about sending out the admin folder name with mails.
The solution is actually quite simple. First, the X-PHP-Script header originates from the mail function in PHP itself and is meant as a help to identify the real source of a mail to help against spamming. So far so good. It can be circumvented quite easily though. The mail function simply uses the $PHP_SELF variable for this, so it can easily be faked. In my case the admin/mail.php and admin/orders.php scripts are sending out mails (osCommerce MS2.2), so I did something like this (mail.php as example, do the same in orders.php):

// before sending mail, change PHP_SELF to hide admin dir from mail header
    $tempvar = $HTTP_SERVER_VARS['PHP_SELF'];
    $HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";
    while ($mail = tep_db_fetch_array($mail_query)) {
      $mimemessage->send($mail['customers_firstname'] . ' ' . $mail['customers_lastname'], $mail['customers_email_address'], '', $from, $subject);
    }
    $HTTP_SERVER_VARS['PHP_SELF'] = $tempvar;

Before sending the mail this stores the value of $PHP_SELF in a temporary variable, puts a false script name in there, and then restores the value after sending the mail. Now the name of the admin folder no more appears in the mail headers.

Best wishes
Reiner

[Martijn89]

Pipeloops, on 01 September 2010, 08:09, said:

Hi,

I know this is an old thread, but I just stumbled across it.

Basically I fully agree that renaming your admin is by no means sufficient, make your site as safe as you can following all the other good advices found on the forum. However, I also was a bit disconcerned about sending out the admin folder name with mails.
The solution is actually quite simple. First, the X-PHP-Script header originates from the mail function in PHP itself and is meant as a help to identify the real source of a mail to help against spamming. So far so good. It can be circumvented quite easily though. The mail function simply uses the $PHP_SELF variable for this, so it can easily be faked. In my case the admin/mail.php and admin/orders.php scripts are sending out mails (osCommerce MS2.2), so I did something like this (mail.php as example, do the same in orders.php):

// before sending mail, change PHP_SELF to hide admin dir from mail header
    $tempvar = $HTTP_SERVER_VARS['PHP_SELF'];
    $HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";
    while ($mail = tep_db_fetch_array($mail_query)) {
      $mimemessage->send($mail['customers_firstname'] . ' ' . $mail['customers_lastname'], $mail['customers_email_address'], '', $from, $subject);
    }
    $HTTP_SERVER_VARS['PHP_SELF'] = $tempvar;

Before sending the mail this stores the value of $PHP_SELF in a temporary variable, puts a false script name in there, and then restores the value after sending the mail. Now the name of the admin folder no more appears in the mail headers.

Best wishes
Reiner

Hi Reiner,

This doesn't work for me... the X-Php remains visible... any idea or suggestions?

Regards,
Martijn

[Martijn89]

Martijn89, on 10 November 2010, 23:18, said:

Hi Reiner,

This doesn't work for me... the X-Php remains visible... any idea or suggestions?

Regards,
Martijn

Woops! I didn't see that the changed file didn't upload correctly. Works FINE for me!!! Thanks!

[Debs]

Martijn89, on 11 November 2010, 00:18, said:

Woops! I didn't see that the changed file didn't upload correctly. Works FINE for me!!! Thanks!

That really looks like a great idea. Any drawbacks?

It should be a contribution with easy cut and replace code so everyone could use it.

I have had some "fake orders" before, with names like aaaaaaaaa and addresses the same. Only to have hack attempts very soon after. They must wait for that email so they could read the headers and try to hack in.

[Martijn89]

Debs, on 11 November 2010, 06:26, said:

That really looks like a great idea. Any drawbacks?

It should be a contribution with easy cut and replace code so everyone could use it.

I have had some "fake orders" before, with names like aaaaaaaaa and addresses the same. Only to have hack attempts very soon after. They must wait for that email so they could read the headers and try to hack in.

No drawbacks so far. When I'm sending a mail right now, in the detailed header the X-PHP-script shows: http://www.mydomain.nl/mail.php, but you can set whatever name you like!

The code shown above is cut & replace in mail.php, but in order.php I still have to find out where to put it, because there is no such code in this file. As soon as/if it works I'll post my new code for order.php!

[tigergirl]

where exactly in admin/mail.php do you put this code please? I'm really wanting to sort it for when I send out order update emails though.

Thanks

Edited by tigergirl, 17 November 2010, 17:48.

[blueedge]

I have made the recommended change to the admin/mail.php file. Now, the admin directory does not appear in the email header for emails sent using the Send Email function in the admin.

I checked the order acknowledge email that is sent immediately after and order is submitted and the admin directory does not appear in the email headers.

However, I cannot find similar mail code in the admin/orders.php file to hide the admin directory in the email headers for order status update emails. Does anyone know how to hide the reference to the admin directory in order update emails?

[blueedge]

Well, it looks like the code used to send order update emails is in the admin/includes/functions/general.php.

  function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) {
    if (SEND_EMAILS != 'true') return false;

    // Instantiate a new mail object
    $message = new email(array('X-Mailer: osCommerce'));

    // Build the text version
    $text = strip_tags($email_text);
    if (EMAIL_USE_HTML == 'true') {
      $message->add_html($email_text, $text);
    } else {
      $message->add_text($text);
    }

    // Send message
    $message->build_message();
    $message->send($to_name, $to_email_address, $from_email_name, $from_email_address, $email_subject);
  }

  function tep_get_tax_class_title($tax_class_id) {
    if ($tax_class_id == '0') {
      return TEXT_NONE;
    } else {
      $classes_query = tep_db_query("select tax_class_title from " . TABLE_TAX_CLASS . " where tax_class_id = '" . (int)$tax_class_id . "'");
      $classes = tep_db_fetch_array($classes_query);

      return $classes['tax_class_title'];
    }
  }

Unfortunately, the code is not the same as in the mail.php file. After a couple of failed attempts to change it so the admin directory is not included in the email headers, I have conclusively determined that I don't know what I'm doing.

Does anyone know how to make the necessary changes?

[burt]

Exact same idea;

FROM THIS:

tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);

TO THIS:

$tempvar = $PHP_SELF;
$HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";
tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);
$PHP_SELF = $tempvar;

[blueedge]

I used your example to amend the code as follows:

    // Send message
    $message->build_message();

// 7-1-11 code below added to prevent admin directory appearing in email headers in order update emails
// combined with code a couple of lines below
    $tempvar = $HTTP_SERVER_VARS['PHP_SELF'];
    $HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";
// 7-1-11 code below added to prevent admin directory appearing in email headers

    $message->send($to_name, $to_email_address, $from_email_name, $from_email_address, $email_subject);

// 7-1-11 code below added to prevent admin directory appearing in email headers in order update emails
// combined with code a couple of lines above
    $HTTP_SERVER_VARS['PHP_SELF'] = $tempvar;
// 7-1-11 code below added to prevent admin directory appearing in email headers

  }

However, the admin directory still appears in the email header.

[ctec2001]

blueedge, on 01 July 2011, 20:58, said:

I used your example to amend the code as follows:

    // Send message
    $message->build_message();

// 7-1-11 code below added to prevent admin directory appearing in email headers in order update emails
// combined with code a couple of lines below
    $tempvar = $HTTP_SERVER_VARS['PHP_SELF'];
    $HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";
// 7-1-11 code below added to prevent admin directory appearing in email headers

    $message->send($to_name, $to_email_address, $from_email_name, $from_email_address, $email_subject);

// 7-1-11 code below added to prevent admin directory appearing in email headers in order update emails
// combined with code a couple of lines above
    $HTTP_SERVER_VARS['PHP_SELF'] = $tempvar;
// 7-1-11 code below added to prevent admin directory appearing in email headers

  }

However, the admin directory still appears in the email header.

You will have to do this in the orders.php file in the admin folder.

// Before sending mail, chg PHP_SELF to hide admin dir from mail header

$tempvar = $HTTP_SERVER_VARS['PHP_SELF'];
$HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";

//**********ORIGINAL CODE**************
tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);
//**********END ORIGIANL CODE**********

$HTTP_SERVER_VARS['PHP_SELF'] = $tempvar;

//End Modification to email header

Locate the Original Code from above and locate it in the orders.php file. Copy everything starting at // Before and //End and replace over the original code in the orders.php file.

Hope this helps.

Mike